ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47

General

Target

ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe
Size

46KB
MD5

b3c341a600e3cfa5eba64c13b6db5e87
SHA1

0da1642952dc65664453c587277634af0fe0354d
SHA256

ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47
SHA512

6d932a3c36a05b094103d7bd33f3ec55be6780ad3ad99ac288e407ab690923283a46a0d40f388feaaf7880e68e4ce0ac9b413e5cc8a76f17878f6316501d1a64
SSDEEP

384:rxSIazxksfSGPCTFA0WO25HgsnghJQdVmQsZn9ZldG5F6BufsiN+FG:XyxjOFA0TwHWJQdV7sRbHG5Ff+FG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	winlognn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	Regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winlognn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlognn.exe"	winlognn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlognn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlognn.exe"	winlognn.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF4552-94F1-42BD-F434-3604812C807D}	Regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eawdh3hbg87dkjn.dll	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32\ = "C:\\Windows\\SysWow64\\eawdh3hbg87dkjn.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\ = "C:\\Windows\\SysWow64\\eawdh3hbg87dkjn.dll"	Regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1504	Regsvr32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1504	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	82
PID 2224 wrote to memory of 1504	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	82
PID 2224 wrote to memory of 1504	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	82
PID 2224 wrote to memory of 2032	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	83
PID 2224 wrote to memory of 2032	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	83
PID 2224 wrote to memory of 2032	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	83
PID 2224 wrote to memory of 2300	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	84
PID 2224 wrote to memory of 2300	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	84
PID 2224 wrote to memory of 2300	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	84
PID 2224 wrote to memory of 348	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	85
PID 2224 wrote to memory of 348	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	85
PID 2224 wrote to memory of 348	2224	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	85

C:\Users\Admin\AppData\Local\Temp\ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe
"C:\Users\Admin\AppData\Local\Temp\ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\Windows\system32\eawdh3hbg87dkjn.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\winlognn.exe
  C:\Users\Admin\AppData\Local\Temp\winlognn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2032
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Modifies registry class
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p2hhr.bat" "C:\Users\Admin\AppData\Local\Temp\ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe""
  2⤵
  PID:348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\p2hhr.bat

Filesize
46B

MD5
4eb5eeba568b8c5912ccd65442c964ce

SHA1
b4af6dd121ef6a57e5799e812bb795db0659a8a1

SHA256
a0620011f49bc3947e6d1d8c45c3135f640c331b679ed0eb6f97d7028ec113e6

SHA512
671b8be20b29af30450d4a36c8f71d6bc29718cfcac35b3788cd60c8141206ac3081a93c094234a6c7d1126e4690ce6536ab9a6535072d80a866b1ce83812b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlognn.exe

Filesize
14KB

MD5
2b8473ecc65c913d7352235707ca7968

SHA1
843d8455d2facba96a2accda0f9306987ae8c11a

SHA256
295562e1691358ff11f14a72c936a1db789627b7789476bcde38bf7899d63063

SHA512
4911a6252f0f4e716e5812076695e68524a19577e08fdb971a6987e72a24ca2d8bd204f9f1fd2b4572c11956d7af56519dcf99955ca31a02b40ff15c17bb2f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlognn.exe

Filesize
14KB

MD5
2b8473ecc65c913d7352235707ca7968

SHA1
843d8455d2facba96a2accda0f9306987ae8c11a

SHA256
295562e1691358ff11f14a72c936a1db789627b7789476bcde38bf7899d63063

SHA512
4911a6252f0f4e716e5812076695e68524a19577e08fdb971a6987e72a24ca2d8bd204f9f1fd2b4572c11956d7af56519dcf99955ca31a02b40ff15c17bb2f27

Download Submit
C:\Windows\SysWOW64\eawdh3hbg87dkjn.dll

Filesize
14KB

MD5
ab1269a7a2c902423b35b0f116dc1608

SHA1
616761ccde5a7eb19cfe18f700b0d8d414a0b5c0

SHA256
773f6c603e464bfcfbd13c2999a54cc96d2a47411c5ad1576ec89006480d113a

SHA512
ec1c86a76e873f07b126f7ded278c9118dc00d19ce4b1c2912272d41c5a0c1b1295b864f4d36d5e1ada84bcc0313ee2130e91f832843f408a9d8812b74315a80

Download Submit
C:\Windows\SysWOW64\eawdh3hbg87dkjn.dll

Filesize
14KB

MD5
ab1269a7a2c902423b35b0f116dc1608

SHA1
616761ccde5a7eb19cfe18f700b0d8d414a0b5c0

SHA256
773f6c603e464bfcfbd13c2999a54cc96d2a47411c5ad1576ec89006480d113a

SHA512
ec1c86a76e873f07b126f7ded278c9118dc00d19ce4b1c2912272d41c5a0c1b1295b864f4d36d5e1ada84bcc0313ee2130e91f832843f408a9d8812b74315a80

Download Submit
memory/1504-137-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2032-141-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2032-146-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2224-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2224-136-0x0000000000490000-0x0000000000495000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads