18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d

General

Target

18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe
Size

104KB
MD5

f6fde82954a6214cc0e6420ef1073825
SHA1

35677caf2cbf7162bedd354459459497975cbd2c
SHA256

18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d
SHA512

69b0fffcc5e92e3d6e82a6ec268f338c394c00fdfac34f6b514323028273925aa7067cdccdd25edfba9e2e66678cebabcbf7b916fc999b6886e024152585253e
SSDEEP

3072:twxVMhOC/dTDbq91+mno3t4QZQ3rt8iJkL0:tTfFDbRnOTrt5JA0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3688	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\GPU	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SoftwareFallback = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "140"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = cd7e7fae9806d901	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomStorageState	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "5140"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133144916791215747"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main\OperationalData = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
776	regedit.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4208	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3832	1496	18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe	84
PID 1496 wrote to memory of 3832	1496	18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe	84
PID 1496 wrote to memory of 3832	1496	18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe	84
PID 3832 wrote to memory of 3688	3832	cmd.exe	86
PID 3832 wrote to memory of 3688	3832	cmd.exe	86
PID 3832 wrote to memory of 3688	3832	cmd.exe	86
PID 3832 wrote to memory of 4208	3832	cmd.exe	87
PID 3832 wrote to memory of 4208	3832	cmd.exe	87
PID 3832 wrote to memory of 4208	3832	cmd.exe	87
PID 4208 wrote to memory of 788	4208	rundll32.exe	93
PID 4208 wrote to memory of 788	4208	rundll32.exe	93
PID 4208 wrote to memory of 788	4208	rundll32.exe	93
PID 4208 wrote to memory of 1400	4208	rundll32.exe	96
PID 4208 wrote to memory of 1400	4208	rundll32.exe	96
PID 4208 wrote to memory of 1400	4208	rundll32.exe	96
PID 3832 wrote to memory of 776	3832	cmd.exe	100
PID 3832 wrote to memory of 776	3832	cmd.exe	100
PID 3832 wrote to memory of 776	3832	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe
"C:\Users\Admin\AppData\Local\Temp\18507f81f97e4aee317f2a79792f4d38e57fc8159f32e5199840082c91da128d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\temp\IE_Clear_C.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Windows\SysWOW64\rundll32.exe
    RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
    3⤵
    - Checks computer location settings
    - Modifies Internet Explorer settings
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000
      4⤵
      Drops desktop.ini file(s)
      Modifies Internet Explorer settings
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\temp\IE╥╗╝ⁿ╔Φ╓├.reg"
    3⤵
    - Runs .reg file with regedit
    PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\temp\IE_Clear_C.bat

Filesize
857B

MD5
c31825f6d4404b42705e45a78239ddff

SHA1
1138a71e913e28dde169db4726a6b67547594055

SHA256
78e797b068c662ff4a7ef2acb78631e12f88627197179a800fefecfd17c53302

SHA512
d44736766d570e26c018acf74d96f8578c7d69635b101f56f34b94213c8fa1f8ffb4f34505437294e1d42b9b6353dd3100e8c7a4ee0e16092b5c40f4f64c95ab

Download Submit

Analysis

Sharing