Analysis
-
max time kernel
192s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
Resource
win10v2004-20221111-en
General
-
Target
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
-
Size
61KB
-
MD5
e027153d983946c3a5e336ba6639f178
-
SHA1
8648bb28d6a0d377ebdf4d91231cb54815001933
-
SHA256
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
-
SHA512
fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
SSDEEP
1536:pM3K0rz6fS/tdvyO2eLehvGb/r/CAp2/DSjh/Zku:i60rWfofvH3ehv6/Ce6SjfH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
iehelper.exepid process 792 iehelper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iehelper = "C:\\Program Files (x86)\\Internet Explorer\\iehelper.exe /fw" dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe -
Drops file in Program Files directory 2 IoCs
Processes:
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\iehelper.exe dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iehelper.exe dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exedescription pid process target process PID 3380 wrote to memory of 792 3380 dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe iehelper.exe PID 3380 wrote to memory of 792 3380 dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe iehelper.exe PID 3380 wrote to memory of 792 3380 dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe iehelper.exe PID 3380 wrote to memory of 1768 3380 dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe cmd.exe PID 3380 wrote to memory of 1768 3380 dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe cmd.exe PID 3380 wrote to memory of 1768 3380 dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe"C:\Users\Admin\AppData\Local\Temp\dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iehelper.exe"C:\Program Files (x86)\Internet Explorer\iehelper.exe" /fw2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\winimes.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Internet Explorer\iehelper.exeFilesize
61KB
MD5e027153d983946c3a5e336ba6639f178
SHA18648bb28d6a0d377ebdf4d91231cb54815001933
SHA256dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
SHA512fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
C:\Program Files (x86)\Internet Explorer\iehelper.exeFilesize
61KB
MD5e027153d983946c3a5e336ba6639f178
SHA18648bb28d6a0d377ebdf4d91231cb54815001933
SHA256dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
SHA512fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
C:\Users\Admin\AppData\Local\Temp\winimes.batFilesize
253B
MD57bd8377077c4cccb94f65fff2db67bb7
SHA118f8829c34768c160c63cf408b3c973138bb0a07
SHA256bdb89c111e19d2f35a739ef1cf370541755c6b2cb8c775527589efd9fa825962
SHA512b54755ce0990193ecf48be5875d675c4e13b1e9b0619075d244f5fe6da449917e5f13929c39530cf5f935ac81dbf67dfc8d53f28874b462fe819015840a0a5c8
-
memory/792-134-0x0000000000000000-mapping.dmp
-
memory/1768-137-0x0000000000000000-mapping.dmp
-
memory/3380-132-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB