1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699

Analysis

max time kernel
102s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe
Size

448KB
MD5

186d181cb27c106db3855d7e72a5283c
SHA1

fa8f69727e0e4b06b37e1f2e01d4ea03207aeca8
SHA256

1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699
SHA512

08340e39177b60d66aff40308ae7d27146065e11bb2ed28a588c232a8531f062757b92d05b407b595326609e8fe4403a8299e70d54edcfee718ca9f0cdcd15fa
SSDEEP

6144:9ZuuObR8sVImcyYO7c+KRJy6cIWHeqH0WJ+jxHQp34zZ24pCvwSC1:CV+mzOlOJ4xy3QDpC21

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1476	MyHome.exe
1668	is-944B4.tmp

Loads dropped DLL 4 IoCs

pid	Process
1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe
1476	MyHome.exe
1668	is-944B4.tmp
1668	is-944B4.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MyHome\unins000.dat	is-944B4.tmp
File created	C:\Program Files (x86)\MyHome\is-3SOVJ.tmp	is-944B4.tmp
File created	C:\Program Files (x86)\MyHome\is-39MTD.tmp	is-944B4.tmp
File opened for modification	C:\Program Files (x86)\MyHome\unins000.dat	is-944B4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.babaw.com/"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{2153705A-F2F9-4220-83D8-EC1CEB581D21}"	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.babaw.com/"	regedit.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.babaw.com/"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
268	regedit.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1344	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	28
PID 1056 wrote to memory of 1344	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	28
PID 1056 wrote to memory of 1344	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	28
PID 1056 wrote to memory of 1344	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	28
PID 1344 wrote to memory of 268	1344	cmd.exe	30
PID 1344 wrote to memory of 268	1344	cmd.exe	30
PID 1344 wrote to memory of 268	1344	cmd.exe	30
PID 1344 wrote to memory of 268	1344	cmd.exe	30
PID 1056 wrote to memory of 1476	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	31
PID 1056 wrote to memory of 1476	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	31
PID 1056 wrote to memory of 1476	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	31
PID 1056 wrote to memory of 1476	1056	1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe	31
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32
PID 1476 wrote to memory of 1668	1476	MyHome.exe	32

C:\Users\Admin\AppData\Local\Temp\1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe
"C:\Users\Admin\AppData\Local\Temp\1d8f60ade4c60e92dad7e4708e72a5378a037bb08a26a774eca58fe47447d699.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.cmd" /VERYSILENT /SP- /NORESTART"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S "C:\Users\Admin\AppData\Local\Temp.\DefOpen.reg"
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Runs .reg file with regedit
    PID:268
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.exe" /VERYSILENT /SP- /NORESTART
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\is-EHO1C.tmp\is-944B4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-EHO1C.tmp\is-944B4.tmp" /SL4 $30170 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.exe" 52253 52224 /VERYSILENT /SP- /NORESTART
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DefOpen.reg

Filesize
631B

MD5
21f47278069c8af79dc89aa668dfd3b4

SHA1
675d72919fd5b9653e3e4086c70ecb488649bd70

SHA256
79cc698586900744c993772ed6526bfa58d95de77a3ccb68929558dd3962c17e

SHA512
6c32703688520d1d65d025773315f82d278089e25924b3af89793123221265d86036512a2405b9cca8a26d83016c6da3ef03af88884b9c26bf9fe3a922903431

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.cmd

Filesize
1KB

MD5
2b94b5b4d7bb4d49241d85acbfd7fd6c

SHA1
82776afa901cd16936fa7e8d68e3de324dc7eb6d

SHA256
bcdfa74c45af8664a2159f27c67e11084024fcf60fd4fb1e9602277fbdd9062d

SHA512
cf83b78724b78676ffdb8d5a1d381d04547ad04e8512fb8001b709195cd303f22cdba43742f53b61dd1e474feab543665a6247edd1ba0cf0f9f8fb4e55a088fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.exe

Filesize
279KB

MD5
15bc905446ce834e2167a3ffae4a5fc9

SHA1
a40e7b70e7dc28e46f72bd990ad7188c420127b7

SHA256
c9e78d05d1a21955969d1b342cc6ec549cb156826e76b066f327f00a2a1acc7d

SHA512
2e065028f6ce7911d5820dcdc7545ebe6ff7f146623fad052a36c4f04d2ccbbcc3973d16cc7f14130b5013c6a7752d1f589d677db5596a44e7cc7c83ca414ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.exe

Filesize
279KB

MD5
15bc905446ce834e2167a3ffae4a5fc9

SHA1
a40e7b70e7dc28e46f72bd990ad7188c420127b7

SHA256
c9e78d05d1a21955969d1b342cc6ec549cb156826e76b066f327f00a2a1acc7d

SHA512
2e065028f6ce7911d5820dcdc7545ebe6ff7f146623fad052a36c4f04d2ccbbcc3973d16cc7f14130b5013c6a7752d1f589d677db5596a44e7cc7c83ca414ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EHO1C.tmp\is-944B4.tmp

Filesize
656KB

MD5
8e4a40adb516d9b159249251c9894ffe

SHA1
b3a8bcdceab7bd8520d013284775e6038ca2dd53

SHA256
216f3d8c023b57796e43b428f1df2dc3c94d6bd4795b1195a2798f0293af4be8

SHA512
1c00a7c8a0ed8cc9a5091296a858506a21840ee0a3a30e852f3a13e85400217c7ef35e08cdbcf9710b1e272c4480ef9c61fec85f0686cad038521c27b54d8b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EHO1C.tmp\is-944B4.tmp

Filesize
656KB

MD5
8e4a40adb516d9b159249251c9894ffe

SHA1
b3a8bcdceab7bd8520d013284775e6038ca2dd53

SHA256
216f3d8c023b57796e43b428f1df2dc3c94d6bd4795b1195a2798f0293af4be8

SHA512
1c00a7c8a0ed8cc9a5091296a858506a21840ee0a3a30e852f3a13e85400217c7ef35e08cdbcf9710b1e272c4480ef9c61fec85f0686cad038521c27b54d8b8b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MyHome.exe

Filesize
279KB

MD5
15bc905446ce834e2167a3ffae4a5fc9

SHA1
a40e7b70e7dc28e46f72bd990ad7188c420127b7

SHA256
c9e78d05d1a21955969d1b342cc6ec549cb156826e76b066f327f00a2a1acc7d

SHA512
2e065028f6ce7911d5820dcdc7545ebe6ff7f146623fad052a36c4f04d2ccbbcc3973d16cc7f14130b5013c6a7752d1f589d677db5596a44e7cc7c83ca414ad3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CLJPS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CLJPS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EHO1C.tmp\is-944B4.tmp

Filesize
656KB

MD5
8e4a40adb516d9b159249251c9894ffe

SHA1
b3a8bcdceab7bd8520d013284775e6038ca2dd53

SHA256
216f3d8c023b57796e43b428f1df2dc3c94d6bd4795b1195a2798f0293af4be8

SHA512
1c00a7c8a0ed8cc9a5091296a858506a21840ee0a3a30e852f3a13e85400217c7ef35e08cdbcf9710b1e272c4480ef9c61fec85f0686cad038521c27b54d8b8b

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/1056-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1344-55-0x0000000000000000-mapping.dmp

Download
memory/1476-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1476-67-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1476-61-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1668-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads