802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976

General

Target

802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe
Size

16KB
MD5

f4fe4258f4793ed9224f89186f8529ff
SHA1

9f203a8ae8e7fa66a45e1af85a392483651df76d
SHA256

802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976
SHA512

e121d8d41821671751f1602fc8d078a6e469a2e9742890ea302060b86795c4311fb9db77e367f79a5d53f3bbad3ab1abe00eb5fa9de1a93fc92c4714d0335631
SSDEEP

384:AYmvmOC3X2dvNmQl9Zeb4VIhwVPSfZL433333333I:AYm3CH6skZek9SV433333333I

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe D:\\VolumeXX"	mshta.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mshta.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	548	attrib.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	548	attrib.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	548	attrib.exe	84

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3676	attrib.exe
4296	attrib.exe
3640	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	D:\VolumeXX\desktop.ini	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1177238915-1004336348-682003330-500\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.4191.com/?hta"	mshta.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell\open(&H)\command\ = "mshta.exe C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\NTUSER~1.HTA"	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\IsShortCut	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell\open(&H)\command	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell\open(&H)	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1048	4716	802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe	79
PID 4716 wrote to memory of 1048	4716	802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe	79
PID 4716 wrote to memory of 1048	4716	802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe	79
PID 1048 wrote to memory of 1924	1048	cmd.exe	81
PID 1048 wrote to memory of 1924	1048	cmd.exe	81
PID 1048 wrote to memory of 1924	1048	cmd.exe	81
PID 1048 wrote to memory of 4212	1048	cmd.exe	82
PID 1048 wrote to memory of 4212	1048	cmd.exe	82
PID 1048 wrote to memory of 4212	1048	cmd.exe	82

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3676	attrib.exe
4296	attrib.exe
3640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe
"C:\Users\Admin\AppData\Local\Temp\802cb15ec17b1ecf122249d9c4e58f32d52cf1b77be6989e44513a995b6f8976.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\PING.EXE
    ping 88.99.00.00
    3⤵
    - Runs ping.exe
    PID:1924
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Drops desktop.ini file(s)
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    PID:4212

C:\Windows\system32\attrib.exe
attrib +s +h "D:\RECYCLERMD4"
1⤵
- Process spawned unexpected child process
- Sets file to hidden
- Views/modifies file attributes
PID:3676

C:\Windows\system32\attrib.exe
attrib +s +h "D:\VolumeXX\desktop.ini"
1⤵
- Process spawned unexpected child process
- Sets file to hidden
- Views/modifies file attributes
PID:4296

C:\Windows\system32\attrib.exe
attrib +s +h "D:\VolumeXX"
1⤵
- Process spawned unexpected child process
- Sets file to hidden
- Views/modifies file attributes
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat

Filesize
70B

MD5
edea5cd5060d69b6c558fea75e330a67

SHA1
929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

SHA256
1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

SHA512
adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta

Filesize
7KB

MD5
b406ed0e1cf6eb046c6b4ecf2fa73694

SHA1
550eaf6e9854dc2d73a507ff2a57f1cbf8d1c662

SHA256
3186413894290ddb8a5f6e22c14d4e1b4fdfa6d12369c6f43ee43ab7e4e3bc7e

SHA512
1222fc8464e72f192881c9629648ad3ae95b81e3db085fc7977e776dc12f0b47a95bfb538b8d198e27ee4625b6985b8c0fbee1fa97a2ecac0009055f66962615

Download Submit
memory/1048-132-0x0000000000000000-mapping.dmp

Download
memory/1924-134-0x0000000000000000-mapping.dmp

Download
memory/4212-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads