Analysis
-
max time kernel
204s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:58
Behavioral task
behavioral1
Sample
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe
Resource
win10v2004-20221111-en
General
-
Target
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe
-
Size
218KB
-
MD5
32a0615410754e84b06f127f1601ea9d
-
SHA1
7188ae6ff8ebae133ecb91b68cc746d80d7c053e
-
SHA256
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a
-
SHA512
b2d7cc6837af595fa3d3c3f970427ece1fe13d0e62c7faf70b8e934d6f32af42627bd379d6b9531bec3a1e13a1bb3fee48ac17095637214a369331052b30e185
-
SSDEEP
3072:N8DZDcdQRRwZJ+nqaTDZlBATQGB/OquFZYgdqI/gFgcg7XuPCGZe30RsApIh1ZE1:5QwwqaxAsc/gr5dP1jGZGtApgy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
algs.exepid process 4544 algs.exe -
Processes:
resource yara_rule behavioral2/memory/204-133-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/204-134-0x0000000000400000-0x000000000047D000-memory.dmp upx C:\algs.exe upx C:\algs.exe upx behavioral2/memory/4544-138-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/204-139-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Naver Agents = "C:\\Users\\Admin\\AppData\\Local\\Temp\\895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe" 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Naver Agents = "C:\\Users\\Admin\\AppData\\Local\\Temp\\895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe" 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3470103623" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F74D5089-6E75-11ED-919F-7295FC24CA51} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3470258985" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999170" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999170" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
iexplore.exepid process 2364 iexplore.exe 2364 iexplore.exe 2364 iexplore.exe 2364 iexplore.exe 2364 iexplore.exe 2364 iexplore.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2364 iexplore.exe 2364 iexplore.exe 888 IEXPLORE.EXE 888 IEXPLORE.EXE 2364 iexplore.exe 2364 iexplore.exe 4176 IEXPLORE.EXE 4176 IEXPLORE.EXE 2364 iexplore.exe 2364 iexplore.exe 4336 IEXPLORE.EXE 4336 IEXPLORE.EXE 2364 iexplore.exe 2364 iexplore.exe 4344 IEXPLORE.EXE 4344 IEXPLORE.EXE 2364 iexplore.exe 2364 iexplore.exe 4176 IEXPLORE.EXE 4176 IEXPLORE.EXE 2364 iexplore.exe 2364 iexplore.exe 4628 IEXPLORE.EXE 4628 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exeiexplore.exedescription pid process target process PID 204 wrote to memory of 4544 204 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe algs.exe PID 204 wrote to memory of 4544 204 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe algs.exe PID 204 wrote to memory of 4544 204 895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe algs.exe PID 2364 wrote to memory of 888 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 888 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 888 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4176 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4176 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4176 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4336 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4336 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4336 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4344 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4344 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4344 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4628 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4628 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 4628 2364 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe"C:\Users\Admin\AppData\Local\Temp\895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\algs.exe"C:\algs.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17416 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17420 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17424 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17432 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\algs.exeFilesize
46KB
MD54b69db9d7c245b1e2b6dcb8a764cd1f2
SHA1b6f506ea538d59f0ef9721ddbdd963dc3c6f5122
SHA256db45111dc7ac77fcd23788a9dcdd1c38e1de9180cc35e432ef2120ba1ad35b5c
SHA5125c1abcf59be354224843a727bd6c3bf4dae1d3a3914fdd241b74e7ca692dd94e09fb7ad6859b6b0484e9c296a76090b7e0859088927787b67b885d1b3720e0ea
-
C:\algs.exeFilesize
46KB
MD54b69db9d7c245b1e2b6dcb8a764cd1f2
SHA1b6f506ea538d59f0ef9721ddbdd963dc3c6f5122
SHA256db45111dc7ac77fcd23788a9dcdd1c38e1de9180cc35e432ef2120ba1ad35b5c
SHA5125c1abcf59be354224843a727bd6c3bf4dae1d3a3914fdd241b74e7ca692dd94e09fb7ad6859b6b0484e9c296a76090b7e0859088927787b67b885d1b3720e0ea
-
memory/204-133-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/204-134-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/204-139-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/4544-135-0x0000000000000000-mapping.dmp
-
memory/4544-138-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB