dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea

Analysis

max time kernel
192s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
Size

61KB
MD5

e027153d983946c3a5e336ba6639f178
SHA1

8648bb28d6a0d377ebdf4d91231cb54815001933
SHA256

dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
SHA512

fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
SSDEEP

1536:pM3K0rz6fS/tdvyO2eLehvGb/r/CAp2/DSjh/Zku:i60rWfofvH3ehv6/Ce6SjfH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iehelper.exe

pid process

792 iehelper.exe

pid	process
792	iehelper.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iehelper = "C:\\Program Files (x86)\\Internet Explorer\\iehelper.exe /fw"	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

Drops file in Program Files directory 2 IoCs

Processes:

dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iehelper.exe	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iehelper.exe	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe

description	pid	process	target process
PID 3380 wrote to memory of 792	3380	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe	iehelper.exe
PID 3380 wrote to memory of 792	3380	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe	iehelper.exe
PID 3380 wrote to memory of 792	3380	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe	iehelper.exe
PID 3380 wrote to memory of 1768	3380	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe	cmd.exe
PID 3380 wrote to memory of 1768	3380	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe	cmd.exe
PID 3380 wrote to memory of 1768	3380	dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
"C:\Users\Admin\AppData\Local\Temp\dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3380

C:\Program Files (x86)\Internet Explorer\iehelper.exe
"C:\Program Files (x86)\Internet Explorer\iehelper.exe" /fw
2⤵
- Executes dropped EXE
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\winimes.bat
2⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\iehelper.exe
Filesize
61KB

MD5
e027153d983946c3a5e336ba6639f178

SHA1
8648bb28d6a0d377ebdf4d91231cb54815001933

SHA256
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea

SHA512
fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554

Download Submit
C:\Program Files (x86)\Internet Explorer\iehelper.exe
Filesize
61KB

MD5
e027153d983946c3a5e336ba6639f178

SHA1
8648bb28d6a0d377ebdf4d91231cb54815001933

SHA256
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea

SHA512
fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554

Download Submit
C:\Users\Admin\AppData\Local\Temp\winimes.bat
Filesize
253B

MD5
7bd8377077c4cccb94f65fff2db67bb7

SHA1
18f8829c34768c160c63cf408b3c973138bb0a07

SHA256
bdb89c111e19d2f35a739ef1cf370541755c6b2cb8c775527589efd9fa825962

SHA512
b54755ce0990193ecf48be5875d675c4e13b1e9b0619075d244f5fe6da449917e5f13929c39530cf5f935ac81dbf67dfc8d53f28874b462fe819015840a0a5c8

Download Submit
memory/792-134-0x0000000000000000-mapping.dmp

Download
memory/1768-137-0x0000000000000000-mapping.dmp

Download
memory/3380-132-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download