9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839

General

Target

9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Size

239KB
MD5

2f76a9f80d9ff4d19798974fdc632718
SHA1

04c805d6f9ca9f9980ababd37cb94d12ff2d7bdd
SHA256

9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839
SHA512

1d775bd1a50ebb9a3818b071887a3e775071fd9be24d4d9f1abde7de321ebbd389127a11e5545ed3c9941cf8b618261de37cf7e97829fd930cda5141f73b943b
SSDEEP

3072:kXu/MVID9mJCQnj3WCW2EW5W656N38Mxis5A26BNNXOng:kjCVKhMPaRV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4744	wnenvideocap.exe
4356	slvnvj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wnenvideocap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\SearchScopes	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4356	slvnvj.exe
4356	slvnvj.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4744	5036	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	81
PID 5036 wrote to memory of 4744	5036	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	81
PID 5036 wrote to memory of 4744	5036	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	81
PID 4744 wrote to memory of 4356	4744	wnenvideocap.exe	82
PID 4744 wrote to memory of 4356	4744	wnenvideocap.exe	82
PID 4744 wrote to memory of 4356	4744	wnenvideocap.exe	82

C:\Users\Admin\AppData\Local\Temp\9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
"C:\Users\Admin\AppData\Local\Temp\9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\nszBABA.tmp\wnenvideocap.exe
  C:\Users\Admin\AppData\Local\Temp\nszBABA.tmp\wnenvideocap.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\slvnvj.exe
    "C:\Users\Admin\AppData\Local\Temp\slvnvj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszBABA.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszBABA.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
C:\Users\Admin\AppData\Local\Temp\slvnvj.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\slvnvj.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit

Analysis

Sharing