abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33

General

Target

abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
Size

142KB
MD5

3d5cc80e30d902cf3e4fdbea43733734
SHA1

db40787906153b8ab6cceb49dabb4caa92048a5f
SHA256

abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33
SHA512

954cf73a563e7a7e4a7c9ba9346cb08425b3e781caff235a2af31cdab31992844af32e355f0cb43341099b568a16ddf4ffa288798fc44b046e45b0a831498d81
SSDEEP

3072:FYP2XerzhOUxu/XUtauF8iJkZcsuHs3mSkjwb6jXSr6s:Fu2urzh9xu/XkauF5JgcsQs3xkjx+rZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4832	google.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\game.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File created	C:\Program Files (x86)\mm.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File created	C:\Program Files (x86)\taobao.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File opened for modification	C:\Program Files\Internet Explorer\MUI\iexplore.exe	google.exe
File created	C:\Program Files\Thunder\ComDlls\1143\game.ico	google.exe
File created	C:\Program Files (x86)\google.exe	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File created	C:\Program Files\Internet Explorer\MUI\iexplore.exe	google.exe
File opened for modification	C:\Program Files\Thunder\ComDlls	google.exe
File created	C:\Program Files\Thunder\ComDlls\1143\mm.ico	google.exe
File opened for modification	C:\Program Files (x86)\game.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File opened for modification	C:\Program Files (x86)\mm.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File created	C:\Program Files (x86)\movie.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File opened for modification	C:\Program Files (x86)\movie.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File opened for modification	C:\Program Files (x86)\taobao.ico	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File created	C:\Program Files\Thunder\ComDlls\1143\bubhlq.exe	google.exe
File created	C:\Program Files\Thunder\ComDlls\1143\movie.ico	google.exe
File created	C:\Program Files\Thunder\ComDlls\1143\taobao.ico	google.exe
File created	C:\Program Files (x86)\__tmp_rar_sfx_access_check_240610921	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
File opened for modification	C:\Program Files (x86)\google.exe	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	google.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	google.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	google.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4\ = "msm4file"	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex\ContextMenuHandlers	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex\ContextMenuHandlers\	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\ = "open"	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\IsShortcut	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\NeverShowExt	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file	google.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command\ = "\"C:\\Program Files\\Thunder\\ComDlls\\1143\\bubhlq.exe\" \"%1\""	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0"	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\ = "¿ì½Ý·½Ê½"	google.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4832	4748	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe	79
PID 4748 wrote to memory of 4832	4748	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe	79
PID 4748 wrote to memory of 4832	4748	abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe	79

C:\Users\Admin\AppData\Local\Temp\abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe
"C:\Users\Admin\AppData\Local\Temp\abba28811aa830c0f1cfeefd51a6c5c3b2e3838361519ee472edc463e8f25e33.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files (x86)\google.exe
  "C:\Program Files (x86)\google.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\game.ico

Filesize
14KB

MD5
173d5c23af9b3a269eb19b1c7426e7d2

SHA1
47bab303b6880ddbecd3c138fedf028449150f85

SHA256
55e846ccb820e699dc0dff83931a78b4ce6ba8489be1b13aad2c062d3452e9ff

SHA512
8b123a7412208ee1786cdffea25afdfa61216ca290cf724489b990a423886e155afe642d42c6c2fa14a254437ee9e0b473a15aa0313e871d04426d888058ba4a

Download Submit
C:\Program Files (x86)\google.exe

Filesize
96KB

MD5
ed3b2eeddd7355ceacf25cd3c0539d21

SHA1
4fb56d20c2886f1d286fdfd5de871ec2ec5a56b1

SHA256
aee7751845e30df727827813eacf9b5c522c83f94a93f355a9bc706cf30dddb1

SHA512
693f3c1263f81618e17441e6e5a068e93a750a9c5ebe37bd88a0b042b711269fe0f40e0b97bea792a0698e05fe97e8f4eb7a207bc5b818b12c20290955ce4edf

Download Submit
C:\Program Files (x86)\google.exe

Filesize
96KB

MD5
ed3b2eeddd7355ceacf25cd3c0539d21

SHA1
4fb56d20c2886f1d286fdfd5de871ec2ec5a56b1

SHA256
aee7751845e30df727827813eacf9b5c522c83f94a93f355a9bc706cf30dddb1

SHA512
693f3c1263f81618e17441e6e5a068e93a750a9c5ebe37bd88a0b042b711269fe0f40e0b97bea792a0698e05fe97e8f4eb7a207bc5b818b12c20290955ce4edf

Download Submit
C:\Program Files (x86)\mm.ico

Filesize
9KB

MD5
c6b53df7e7006fc1ce1bfd8a57cc5dd4

SHA1
06ea81ea5758b4d5ae700edaf6aaacbcd834b86e

SHA256
82d3aefca8e69aaa86145495e8fd711070d694fd29f31bc3a1cd4c13abc26a66

SHA512
f5296f215aaac7149f8ab7d80a425263f057fc592f8356dd36f9ac228bde87371b6a1e4ddc974722227634f96cade4e097565659da6b549e51ccedd74bdbef57

Download Submit
C:\Program Files (x86)\movie.ico

Filesize
31KB

MD5
6ba5cc22c72b2fc4af1aad1bd163f7b2

SHA1
698566566c63f062fd08b471f96a44cce0238761

SHA256
c0ce5d64b3a16687ad373486d668de244fac5f8adcce676206f0da27ff3a76f1

SHA512
f849277bf27b04922f0a82effec32801f7b734b809f4968759397c3d3cff14aae4e760482c2bb62ebfa93163e01aac8bac9e3a5cd5fafbc77c1b54a64755543b

Download Submit
C:\Program Files (x86)\taobao.ico

Filesize
2KB

MD5
d77877537a5527e65aa9c34862c6b1e4

SHA1
4811c789b60dc8c25fcee1fa1e7b8a030c44c4eb

SHA256
0054c05f60ce75be1e31059a973f3f72544cdeaebab3f74eb446f78fa08f0493

SHA512
fd5a7c4f2a413d7291e00722f97a76aa7e37df0c3ffb86d54c1ac58e595d91ba08fc2c8c66ed74e20b4e873983e233112ff1859289370ef81ee05be7eea4a3d4

Download Submit

Analysis

Sharing