8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540

General

Target

8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
Size

1.3MB
MD5

d59aecc53bffd1ce94c7228677d5052b
SHA1

484649121d49ea25bc25891cc992d158d28b6c45
SHA256

8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540
SHA512

cdce858a409ee4bcb0eac1fdd7f8d7e9099dc98c7996f7c56a5cab8b04206e01c7dd415ce525756ed3b5b8ec1b4a62beff782eeb49dd6f3a378b14f928ec2639
SSDEEP

24576:wQ1Sh+bUS9gkJ6B3bhXsfv2wyj8s64wMzvrA4g6RldARa9pEKazp:d1Svs6NdTwyj8s3zzrg6RTARa96KQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1192	~DFDB1014.TMP

Loads dropped DLL 2 IoCs

pid	Process
1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "ÍøÒ³ËÑË÷"	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.go2000.cn/p/?q={searchTerms}"	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	~DFDB1014.TMP
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1192	~DFDB1014.TMP
1192	~DFDB1014.TMP

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28
PID 1652 wrote to memory of 1192	1652	8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe	28

C:\Users\Admin\AppData\Local\Temp\8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe
"C:\Users\Admin\AppData\Local\Temp\8e2b0dc06224a3706c50211cfb76e34d7a5823d8d1c809f30f7ad1367cf9a540.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\~DFDB1014.TMP
  C:\Users\Admin\AppData\Local\Temp\~DFDB1014.TMP
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFDB1014.TMP

Filesize
1.3MB

MD5
d3c7b5eac9aa39968deb11945e6f1f91

SHA1
aa22e9f0eb059b87502243811b910e710e15fd7d

SHA256
184a7a4479cd2aa8b8c9430f695817ec0780b5e8f02248736d16092220250edf

SHA512
b9d168ef6553be003997394a57abbe3a5a47da779f5213fa6eaeaed2937499cef63c6875f9501b8fb581370511cdc7d185fafe1085e433ec82c94451f9460b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFDB1014.TMP

Filesize
1.3MB

MD5
d3c7b5eac9aa39968deb11945e6f1f91

SHA1
aa22e9f0eb059b87502243811b910e710e15fd7d

SHA256
184a7a4479cd2aa8b8c9430f695817ec0780b5e8f02248736d16092220250edf

SHA512
b9d168ef6553be003997394a57abbe3a5a47da779f5213fa6eaeaed2937499cef63c6875f9501b8fb581370511cdc7d185fafe1085e433ec82c94451f9460b47

Download Submit
\Users\Admin\AppData\Local\Temp\~DFDB1014.TMP

Filesize
1.3MB

MD5
d3c7b5eac9aa39968deb11945e6f1f91

SHA1
aa22e9f0eb059b87502243811b910e710e15fd7d

SHA256
184a7a4479cd2aa8b8c9430f695817ec0780b5e8f02248736d16092220250edf

SHA512
b9d168ef6553be003997394a57abbe3a5a47da779f5213fa6eaeaed2937499cef63c6875f9501b8fb581370511cdc7d185fafe1085e433ec82c94451f9460b47

Download Submit
\Users\Admin\AppData\Local\Temp\~DFDB1014.TMP

Filesize
1.3MB

MD5
d3c7b5eac9aa39968deb11945e6f1f91

SHA1
aa22e9f0eb059b87502243811b910e710e15fd7d

SHA256
184a7a4479cd2aa8b8c9430f695817ec0780b5e8f02248736d16092220250edf

SHA512
b9d168ef6553be003997394a57abbe3a5a47da779f5213fa6eaeaed2937499cef63c6875f9501b8fb581370511cdc7d185fafe1085e433ec82c94451f9460b47

Download Submit
memory/1192-57-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing