196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf

General

Target

196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
Size

1.6MB
MD5

4cccc21fc45e1b65a646d0c55e9d0ac8
SHA1

e8fe3fbadda59888bdb6bf6d297638692e084959
SHA256

196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf
SHA512

8b8331b257c399e51a061990aee3bc6c1b17ada71b4166e7bb886c85be1cb4455a1d896b16df6417d9c298b457b65ca78ce0f65c5c8524d283a3fb30adc18c5c
SSDEEP

24576:GMv+gDEDgzmhiHP2EWPkPU04HrrFrUdtMnESJnQJE2/JKJ:GKzmIVJsFUcmE2/JKJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000388"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4093274140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000388"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1505F1B7-7338-11ED-919F-52DC8380D311} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4093274140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
680	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5072	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
5072	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
5072	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
5072	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
680	iexplore.exe
680	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 680	5072	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe	86
PID 5072 wrote to memory of 680	5072	196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe	86
PID 680 wrote to memory of 1640	680	iexplore.exe	87
PID 680 wrote to memory of 1640	680	iexplore.exe	87
PID 680 wrote to memory of 1640	680	iexplore.exe	87

C:\Users\Admin\AppData\Local\Temp\196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
"C:\Users\Admin\AppData\Local\Temp\196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xiugua.net/wg/dnf/20130121/1754.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:680 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1640