eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768

Analysis

max time kernel
167s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe
Size

50KB
MD5

1c69beea9fac0b197191be566883f8fb
SHA1

1904cee0dc4d1eeef915aec289d2237fabe33333
SHA256

eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768
SHA512

184d147bf20a754077ae52e48d8035f3a4953ab944d5c9cdc6f07bb7a1c6c4f142c6cd60b45b183411a19dccf92cf7ea853677791fe69ef04323dc601d82d8ed
SSDEEP

768:0unq3sohibJC6qmmAbDChbSz5DR2T6lez6rrSYMWVZVwHKqCPvaL:pRbJmmmAKFX2dVZVwHKqSvaL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3696	inl705.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	inl705.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winRarExt64.dat	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3CC47EE7-76A3-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe
Token: SeIncBasePriorityPrivilege	3696	inl705.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2172	iexplore.exe
2172	iexplore.exe
3228	IEXPLORE.EXE
3228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 5096	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	85
PID 1112 wrote to memory of 5096	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	85
PID 1112 wrote to memory of 5096	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	85
PID 1112 wrote to memory of 112	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	87
PID 1112 wrote to memory of 112	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	87
PID 1112 wrote to memory of 112	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	87
PID 1112 wrote to memory of 228	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	89
PID 1112 wrote to memory of 228	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	89
PID 1112 wrote to memory of 228	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	89
PID 112 wrote to memory of 3652	112	cmd.exe	91
PID 112 wrote to memory of 3652	112	cmd.exe	91
PID 112 wrote to memory of 3652	112	cmd.exe	91
PID 228 wrote to memory of 3596	228	cmd.exe	93
PID 228 wrote to memory of 3596	228	cmd.exe	93
PID 228 wrote to memory of 3596	228	cmd.exe	93
PID 5096 wrote to memory of 3696	5096	cmd.exe	92
PID 5096 wrote to memory of 3696	5096	cmd.exe	92
PID 5096 wrote to memory of 3696	5096	cmd.exe	92
PID 1112 wrote to memory of 2172	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	95
PID 1112 wrote to memory of 2172	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	95
PID 1112 wrote to memory of 3256	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	96
PID 1112 wrote to memory of 3256	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	96
PID 1112 wrote to memory of 3256	1112	eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe	96
PID 2172 wrote to memory of 3228	2172	iexplore.exe	102
PID 2172 wrote to memory of 3228	2172	iexplore.exe	102
PID 2172 wrote to memory of 3228	2172	iexplore.exe	102
PID 3696 wrote to memory of 5084	3696	inl705.tmp	103
PID 3696 wrote to memory of 5084	3696	inl705.tmp	103
PID 3696 wrote to memory of 5084	3696	inl705.tmp	103

C:\Users\Admin\AppData\Local\Temp\eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe
"C:\Users\Admin\AppData\Local\Temp\eecb5a67c11f3c210e0f46562af7bc356f2b1c2b8e16a9be2b2a8b597f019768.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\inl705.tmp
    C:\Users\Admin\AppData\Local\Temp\inl705.tmp dml-oadmp.tmp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl705.tmp > nul
      4⤵
      PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    - Drops file in Windows directory
    PID:3596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EECB5A~1.EXE > nul
  2⤵
  PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dml-oadmp.tmp

Filesize
795B

MD5
c12ec84b236018f7076bb56f79c66832

SHA1
02ad25b4ea28916203ac3cd1a4fc48c39b5f3dc2

SHA256
1114da7ea9e9e7fe93b3feaff40cabee22c7e9b81ecfd0e40f05d9ebeee7ca3d

SHA512
7255f00f14c337b67611304972ffa88a5882136f7c0d5405aa7814187b733acabd4460e4f9c23b86fdb68213b69d9591c13d1fb3be719dafde55da167e33b1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl705.tmp

Filesize
57.2MB

MD5
c5ae1c084eb943ba5ed85d0af0eb7a9e

SHA1
8a20475e619fec519f05758ed18a6e2e214a1b4a

SHA256
59a3cb7f4540d70f24628a1db1c53e4d0ae828fd6d682dce30447c86db8d9f5b

SHA512
457d11cd820ceaae4df5fe39982bb04f5826cdd8a78250168bba983a651b27ff6a3a302691acb6ce36b0e973eae5a928de37e4c14eb42cde07de9211e69ba987

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl705.tmp

Filesize
57.2MB

MD5
c5ae1c084eb943ba5ed85d0af0eb7a9e

SHA1
8a20475e619fec519f05758ed18a6e2e214a1b4a

SHA256
59a3cb7f4540d70f24628a1db1c53e4d0ae828fd6d682dce30447c86db8d9f5b

SHA512
457d11cd820ceaae4df5fe39982bb04f5826cdd8a78250168bba983a651b27ff6a3a302691acb6ce36b0e973eae5a928de37e4c14eb42cde07de9211e69ba987

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
58B

MD5
a6665a428d51da363120a1c345238d69

SHA1
a03ef4a3beb11e49acbdf0019a8bc8810ba80054

SHA256
6d31b60d0a796e851850d45e5513f566c31f2894de674ac2fd77208e10d0a9ad

SHA512
d8d8f1a2bd2c4b601d42921ed9b6aaf1e58311c03ecabc1faf31813612e05124e1d2f8de0daf21668f20841d06b0f6ecabae759bf62bda21e3e110009496d886

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
524B

MD5
62a2126d86b4aa489e696d593a3579d7

SHA1
1925bad55c4ab7d6b7e7f3118f31c2ebac9ded5a

SHA256
d62cef36cbd98e7a37d716ffda5ca0da77144625a5c43b1322e980020884fbf5

SHA512
a53e4e8b74dae3e6ab367cba50ed4cac925727a40c8962277ecea5604d9ae76cd1e42c78c04235bd80e82755de3f374f89c6885eec60620881c246379ff067f6

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/3696-144-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download