933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307

General

Target

933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe
Size

50KB
MD5

0b673c2ed0b4add50f7c19ab2e369912
SHA1

797ba8f7d91d9482e978c74a259945626ab9941e
SHA256

933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307
SHA512

90562bc7854c55a0426b3fb4bfc63032c0b5e05f6567fc8be335758bbf7c4a35fd5b4515cbb47e5edcac0bbd051eb60a0b47bf95781215c0593aef0e0b1ab966
SSDEEP

768:0unq3sohibJC6qmmAbDChbSz5DR2T6lez6rrSYMWVZVwHKqCPvaV:pRbJmmmAKFX2dVZVwHKqSvaV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	inlE138.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winRarExt64.dat	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001872"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3552365142"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{113C0742-7904-11ED-919F-D2F35ABB710A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3552365142"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001872"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1144	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1144	iexplore.exe
1144	iexplore.exe
4732	IEXPLORE.EXE
4732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 5052	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	86
PID 2344 wrote to memory of 5052	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	86
PID 2344 wrote to memory of 5052	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	86
PID 2344 wrote to memory of 1880	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	87
PID 2344 wrote to memory of 1880	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	87
PID 2344 wrote to memory of 1880	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	87
PID 2344 wrote to memory of 1572	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	90
PID 2344 wrote to memory of 1572	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	90
PID 2344 wrote to memory of 1572	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	90
PID 5052 wrote to memory of 2660	5052	cmd.exe	92
PID 5052 wrote to memory of 2660	5052	cmd.exe	92
PID 5052 wrote to memory of 2660	5052	cmd.exe	92
PID 1572 wrote to memory of 4280	1572	cmd.exe	93
PID 1572 wrote to memory of 4280	1572	cmd.exe	93
PID 1572 wrote to memory of 4280	1572	cmd.exe	93
PID 1880 wrote to memory of 3908	1880	cmd.exe	94
PID 1880 wrote to memory of 3908	1880	cmd.exe	94
PID 1880 wrote to memory of 3908	1880	cmd.exe	94
PID 2344 wrote to memory of 1144	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	95
PID 2344 wrote to memory of 1144	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	95
PID 2344 wrote to memory of 932	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	97
PID 2344 wrote to memory of 932	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	97
PID 2344 wrote to memory of 932	2344	933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe	97
PID 1144 wrote to memory of 4732	1144	iexplore.exe	100
PID 1144 wrote to memory of 4732	1144	iexplore.exe	100
PID 1144 wrote to memory of 4732	1144	iexplore.exe	100

C:\Users\Admin\AppData\Local\Temp\933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe
"C:\Users\Admin\AppData\Local\Temp\933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\inlE138.tmp
    C:\Users\Admin\AppData\Local\Temp\inlE138.tmp dml-oadmp.tmp
    3⤵
    - Executes dropped EXE
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    - Drops file in Windows directory
    PID:4280
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\933FD2~1.EXE > nul
  2⤵
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dml-oadmp.tmp

Filesize
795B

MD5
c12ec84b236018f7076bb56f79c66832

SHA1
02ad25b4ea28916203ac3cd1a4fc48c39b5f3dc2

SHA256
1114da7ea9e9e7fe93b3feaff40cabee22c7e9b81ecfd0e40f05d9ebeee7ca3d

SHA512
7255f00f14c337b67611304972ffa88a5882136f7c0d5405aa7814187b733acabd4460e4f9c23b86fdb68213b69d9591c13d1fb3be719dafde55da167e33b1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlE138.tmp

Filesize
57.2MB

MD5
81fa3eaf336b4a7cfe4e6f7ec97ece96

SHA1
a2453819f7d7943bb2609e373ec94258b8689f1f

SHA256
06f114273e13e79ac0ce166f39ee60b86978a108a8c513a79a14a1215b9b354b

SHA512
d5334b51ea6f108546bb58c563af5f1480734f7bbfc68166fb8e84892fe2c24f12d1850f4dfa176993e0616a8681f0c813e7e88771fe76a8b2f24fef764e916f

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlE138.tmp

Filesize
57.2MB

MD5
81fa3eaf336b4a7cfe4e6f7ec97ece96

SHA1
a2453819f7d7943bb2609e373ec94258b8689f1f

SHA256
06f114273e13e79ac0ce166f39ee60b86978a108a8c513a79a14a1215b9b354b

SHA512
d5334b51ea6f108546bb58c563af5f1480734f7bbfc68166fb8e84892fe2c24f12d1850f4dfa176993e0616a8681f0c813e7e88771fe76a8b2f24fef764e916f

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
59B

MD5
1edf69c077b4b8fd5e1e0d48e24d4da9

SHA1
6c5e5773cfa9f6e5169ad885c888e95420e5aac6

SHA256
a16fcd29252dbbad963ec34750c73d7d11b1f14cd534eaf58ee2b999eab60483

SHA512
e9fa901adc275dfc2a76ce46e295a78ea442d2a17e10e25a40323a8477c37e181d5ed6f08e1df240001dad123cff12861b24c49a45b823da6fe6f4815f59da1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
524B

MD5
62a2126d86b4aa489e696d593a3579d7

SHA1
1925bad55c4ab7d6b7e7f3118f31c2ebac9ded5a

SHA256
d62cef36cbd98e7a37d716ffda5ca0da77144625a5c43b1322e980020884fbf5

SHA512
a53e4e8b74dae3e6ab367cba50ed4cac925727a40c8962277ecea5604d9ae76cd1e42c78c04235bd80e82755de3f374f89c6885eec60620881c246379ff067f6

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/2660-146-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing