42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd

General

Target

42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
Size

2.1MB
MD5

88bf60d3a425bb68de8ad4d32417b3e2
SHA1

4e59f5b4c6e279d15d7ff6cd65ae3b12ff480078
SHA256

42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd
SHA512

a96d4f27b532fb51c29f6c815a7c9fafb1847923b5016bc5712c7680eb11ab0bb6f1610fc56b8a0da20b74c5fb6fb0c65d9898f973393f0d7763d13d53108469
SSDEEP

49152:bzy0qcLCVWBorny6Sd9VXnlhNoME4G89:bz9hBwsDXE4G8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SoftwareFallback = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "5140"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "140"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\GPU	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = c85df0483d72d901	rundll32.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\Main\OperationalData = "1"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe
Token: SeDebugPrivilege	1916	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1848	rundll32.exe
3928	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3928	4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe	87
PID 4368 wrote to memory of 3928	4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe	87
PID 4368 wrote to memory of 3928	4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe	87
PID 4368 wrote to memory of 1848	4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe	88
PID 4368 wrote to memory of 1848	4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe	88
PID 4368 wrote to memory of 1848	4368	42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe	88
PID 1848 wrote to memory of 3780	1848	rundll32.exe	89
PID 1848 wrote to memory of 3780	1848	rundll32.exe	89
PID 1848 wrote to memory of 3780	1848	rundll32.exe	89
PID 3928 wrote to memory of 864	3928	rundll32.exe	91
PID 3928 wrote to memory of 864	3928	rundll32.exe	91
PID 3928 wrote to memory of 864	3928	rundll32.exe	91
PID 1848 wrote to memory of 1916	1848	rundll32.exe	92
PID 1848 wrote to memory of 1916	1848	rundll32.exe	92
PID 1848 wrote to memory of 1916	1848	rundll32.exe	92

C:\Users\Admin\AppData\Local\Temp\42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe
"C:\Users\Admin\AppData\Local\Temp\42e4def6476d318a9bfadd9ce84cf1a6fddd7950c8b3418c2e3bd1f2ce5afdbd.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" inetcpl.cpl,ClearMyTracksByProcess 8
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Modifies registry class
    PID:864
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" inetcpl.cpl,ClearMyTracksByProcess 1
  2⤵
  - Checks computer location settings
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:1 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Drops desktop.ini file(s)
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini

Filesize
130B

MD5
941682911c20b2dabecb20476f91c98a

SHA1
0b0becf019cb15e75cdfa23bf0d4cb976f109baa

SHA256
3fef99e07b0455f88a5bb59e83329d0bfcebe078d907985d0abf70be26b9b89a

SHA512
a12f5caf5fd39cf2ae600e4378b9296d07787a83ae76bc410b89182a2f8e3202c4ca80d811d548193dff439541de9447f9fa141ebfd771e7ab7a6053cb4af2b3

Download Submit
memory/4368-133-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4368-138-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing