838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
Size

443KB
MD5

7ba9af95135661fa07fd6176987d06ac
SHA1

91da6fecde13311adb546756bffb4657b46aa466
SHA256

838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac
SHA512

3b53cd554bcb83b932bcba60931607a1207b54eb93da749db578acd335a2b75f9f02efd494c40d66e1671ecd6a96d9e6d1dea90ae152abdc9eb199d42761524d
SSDEEP

12288:L2Sp46zsRIDNIQUCjexGsh7O1uFc12drBDw:/JjTs81uyMfDw

Score

8^/10

adware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4140	wnggide.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-132-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4824-142-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe

Loads dropped DLL 2 IoCs

pid	Process
4288	regsvr32.exe
2036	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\	regsvr32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\wnggide.exe	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
File created	C:\Program Files (x86)\Internet Explorer\wnggide.dll	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\wnggide.dll	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
File created	C:\Program Files (x86)\Internet Explorer\mnggie.dll	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\mnggie.dll	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
File created	C:\Program Files (x86)\Internet Explorer\tglwsdq.bat	wnggide.exe
File created	C:\Program Files (x86)\Internet Explorer\wnggide.exe	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{2399DF94-F3B7-45F5-9FE5-86970F375E36}	regsvr32.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mnggie.mitsyt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}\ProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	wnggide.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wnggide.mytupot\Clsid\ = "{85C59C9F-B9D6-48C4-A51F-FB3285D48936}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	wnggide.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node	wnggide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	wnggide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wnggide.mytupot\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	wnggide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	wnggide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wnggide.mytupot	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mnggie.mitsyt\Clsid\ = "{2399DF94-F3B7-45F5-9FE5-86970F375E36}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID	wnggide.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	wnggide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\InprocServer32\ = "C:\\PROGRA~2\\INTERN~1\\wnggide.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}\InprocServer32\ = "C:\\PROGRA~2\\INTERN~1\\mnggie.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.135968.cn"	wnggide.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mnggie.mitsyt\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	wnggide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	wnggide.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wnggide.mytupot\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mnggie.mitsyt\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2399DF94-F3B7-45F5-9FE5-86970F375E36}\ProgID\ = "mnggie.mitsyt"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	wnggide.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C59C9F-B9D6-48C4-A51F-FB3285D48936}\ProgID\ = "wnggide.mytupot"	regsvr32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4288	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	81
PID 4824 wrote to memory of 4288	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	81
PID 4824 wrote to memory of 4288	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	81
PID 4824 wrote to memory of 2036	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	82
PID 4824 wrote to memory of 2036	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	82
PID 4824 wrote to memory of 2036	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	82
PID 4824 wrote to memory of 4140	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	83
PID 4824 wrote to memory of 4140	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	83
PID 4824 wrote to memory of 4140	4824	838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe	83
PID 4140 wrote to memory of 1120	4140	wnggide.exe	84
PID 4140 wrote to memory of 1120	4140	wnggide.exe	84
PID 4140 wrote to memory of 1120	4140	wnggide.exe	84

C:\Users\Admin\AppData\Local\Temp\838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe
"C:\Users\Admin\AppData\Local\Temp\838a0bdb4a30af59f37e656aa5b09eecf22b3fece9f2d9df0e71a7f5e3305bac.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s mnggie.dll
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4288
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s wnggide.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2036
- C:\Program Files (x86)\Internet Explorer\wnggide.exe
  "C:\Program Files (x86)\Internet Explorer\wnggide.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Internet Explorer\tglwsdq.bat""
    3⤵
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\mnggie.dll

Filesize
371KB

MD5
3e8b259213832773dbbd54eb7b4019fe

SHA1
b3967d01efee1b03cfae7093a83bec6f544f95fd

SHA256
2956271c3095a0e535ae93c495e2ec93c6a59aef9ecc0bf6873a0d0caabada76

SHA512
b52f91b902e99d3f809ecdf26590fec0ad5e74acda970e1ea338c08504b0eb6ee115be0eb0188306f870768551a9c7571246707608961dbed1e26e82e77d61da

Download Submit
C:\Program Files (x86)\Internet Explorer\mnggie.dll

Filesize
371KB

MD5
3e8b259213832773dbbd54eb7b4019fe

SHA1
b3967d01efee1b03cfae7093a83bec6f544f95fd

SHA256
2956271c3095a0e535ae93c495e2ec93c6a59aef9ecc0bf6873a0d0caabada76

SHA512
b52f91b902e99d3f809ecdf26590fec0ad5e74acda970e1ea338c08504b0eb6ee115be0eb0188306f870768551a9c7571246707608961dbed1e26e82e77d61da

Download Submit
C:\Program Files (x86)\Internet Explorer\tglwsdq.bat

Filesize
148B

MD5
190b3aeb9c00b8a7ffa7aca4880b81f7

SHA1
b8bc15652b8d6586536b018b3a0911c7778a2489

SHA256
a8696d2d4cd368f73a74486d92ba34c93360339add8bd7c7f76ba4a6a9db593a

SHA512
0642e2bd16aee94d9f4b6ef4da566ca754f4487357d3963a712fa3fa9717f1f61d90bc68c14947c21b82bbb2bf43878f5dc830efdea0b5600a5aaeeb78039c02

Download Submit
C:\Program Files (x86)\Internet Explorer\wnggide.dll

Filesize
411KB

MD5
984a36e79c04c57e23e315dbb195c909

SHA1
7c1a9aab36b5eff627cf10d1b08f41e5bdcdd3bd

SHA256
5ec39df4002da350242ce4c41b01f8cc3ad5437e298567a76d34447e2d43bfe8

SHA512
aa2b4d4324a34aaa4ac0278816d605ced196b75661d5bdb437cd36c8afc2dc5b9f8ee097051aa8285a936854b54a5937b709b568a8a7239571e844fa11fc2104

Download Submit
C:\Program Files (x86)\Internet Explorer\wnggide.dll

Filesize
411KB

MD5
984a36e79c04c57e23e315dbb195c909

SHA1
7c1a9aab36b5eff627cf10d1b08f41e5bdcdd3bd

SHA256
5ec39df4002da350242ce4c41b01f8cc3ad5437e298567a76d34447e2d43bfe8

SHA512
aa2b4d4324a34aaa4ac0278816d605ced196b75661d5bdb437cd36c8afc2dc5b9f8ee097051aa8285a936854b54a5937b709b568a8a7239571e844fa11fc2104

Download Submit
C:\Program Files (x86)\Internet Explorer\wnggide.exe

Filesize
122KB

MD5
521a745127e56ce0506aa9a36027a14b

SHA1
9a76927a15fc83e0a7af18b06d1c7a5c183d22bf

SHA256
f719ce3717eafc60379525b81083a1eafbf39548118a4fbc68394fd8a18006a5

SHA512
575c909ad68693fd5ef605524df08c645aff30238d8b10e11f7699e3d17c54455008cde0bc6945d7c64e45d7d316e3fc4a13d8967c5fb72aa62585204eaf44ac

Download Submit
C:\Program Files (x86)\Internet Explorer\wnggide.exe

Filesize
122KB

MD5
521a745127e56ce0506aa9a36027a14b

SHA1
9a76927a15fc83e0a7af18b06d1c7a5c183d22bf

SHA256
f719ce3717eafc60379525b81083a1eafbf39548118a4fbc68394fd8a18006a5

SHA512
575c909ad68693fd5ef605524df08c645aff30238d8b10e11f7699e3d17c54455008cde0bc6945d7c64e45d7d316e3fc4a13d8967c5fb72aa62585204eaf44ac

Download Submit
memory/4824-132-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4824-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads