ead7dacfbe3fe40959353445ca3a754e9254c993d6a0efc7d99f960b01156df6

Analysis

max time kernel
173s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b439f0679891477a6720337b94d12e8.exe
Size

736KB
MD5

5b439f0679891477a6720337b94d12e8
SHA1

237f2259e8be726cdee3343ac0a5f4fa557c98dc
SHA256

ead7dacfbe3fe40959353445ca3a754e9254c993d6a0efc7d99f960b01156df6
SHA512

6bbe59f30d93972bb2e753364fe9ed2af6942c8b66430ecf111368a89cf952ea97ae2f5df009c4d5afbb8ae139bf0befc33c3a3267a55f573f95d1bd9723ab9c
SSDEEP

12288:gpQFKc84EnyLz1emmZ+kEOc4dYchfL7pNWZQZrJe2WhmbT:gpQAcnLzY7EP6PhfLziQMhhmbT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	5b439f0679891477a6720337b94d12e8.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	5b439f0679891477a6720337b94d12e8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	5b439f0679891477a6720337b94d12e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Version Vector	5b439f0679891477a6720337b94d12e8.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shellex	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\open	5b439f0679891477a6720337b94d12e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\ShellFolder\Attributes = "0"	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\InprocServer32	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\InprocServer32\InprocServer32 = "Apartment"	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\open\command	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\ÊôÐÔ(&R)	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\lnkfile	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\DefaultIcon	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\ÊôÐÔ(&R)\Command	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\ShellFolder	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\ÊôÐÔ(&R)	5b439f0679891477a6720337b94d12e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open\command	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.1188.com/?5b439f0679891477a6720337b94d12e8"	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	5b439f0679891477a6720337b94d12e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\ = "Internet Explorer"	5b439f0679891477a6720337b94d12e8.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4572	4888	5b439f0679891477a6720337b94d12e8.exe	98
PID 4888 wrote to memory of 4572	4888	5b439f0679891477a6720337b94d12e8.exe	98
PID 4888 wrote to memory of 4572	4888	5b439f0679891477a6720337b94d12e8.exe	98
PID 4888 wrote to memory of 5024	4888	5b439f0679891477a6720337b94d12e8.exe	100
PID 4888 wrote to memory of 5024	4888	5b439f0679891477a6720337b94d12e8.exe	100
PID 4888 wrote to memory of 5024	4888	5b439f0679891477a6720337b94d12e8.exe	100
PID 4888 wrote to memory of 2288	4888	5b439f0679891477a6720337b94d12e8.exe	102
PID 4888 wrote to memory of 2288	4888	5b439f0679891477a6720337b94d12e8.exe	102
PID 4888 wrote to memory of 2288	4888	5b439f0679891477a6720337b94d12e8.exe	102
PID 4888 wrote to memory of 1040	4888	5b439f0679891477a6720337b94d12e8.exe	105
PID 4888 wrote to memory of 1040	4888	5b439f0679891477a6720337b94d12e8.exe	105
PID 4888 wrote to memory of 1040	4888	5b439f0679891477a6720337b94d12e8.exe	105
PID 4888 wrote to memory of 4720	4888	5b439f0679891477a6720337b94d12e8.exe	106
PID 4888 wrote to memory of 4720	4888	5b439f0679891477a6720337b94d12e8.exe	106
PID 4888 wrote to memory of 4720	4888	5b439f0679891477a6720337b94d12e8.exe	106
PID 2288 wrote to memory of 4200	2288	cmd.exe	111
PID 2288 wrote to memory of 4200	2288	cmd.exe	111
PID 2288 wrote to memory of 4200	2288	cmd.exe	111
PID 4720 wrote to memory of 3588	4720	cmd.exe	120
PID 4720 wrote to memory of 3588	4720	cmd.exe	120
PID 4720 wrote to memory of 3588	4720	cmd.exe	120
PID 4572 wrote to memory of 2492	4572	cmd.exe	112
PID 4572 wrote to memory of 2492	4572	cmd.exe	112
PID 4572 wrote to memory of 2492	4572	cmd.exe	112
PID 5024 wrote to memory of 3680	5024	cmd.exe	119
PID 5024 wrote to memory of 3680	5024	cmd.exe	119
PID 5024 wrote to memory of 3680	5024	cmd.exe	119
PID 2288 wrote to memory of 1052	2288	cmd.exe	118
PID 2288 wrote to memory of 1052	2288	cmd.exe	118
PID 2288 wrote to memory of 1052	2288	cmd.exe	118
PID 5024 wrote to memory of 4424	5024	cmd.exe	113
PID 5024 wrote to memory of 4424	5024	cmd.exe	113
PID 5024 wrote to memory of 4424	5024	cmd.exe	113
PID 1040 wrote to memory of 4072	1040	cmd.exe	117
PID 1040 wrote to memory of 4072	1040	cmd.exe	117
PID 1040 wrote to memory of 4072	1040	cmd.exe	117
PID 4720 wrote to memory of 1788	4720	cmd.exe	116
PID 4720 wrote to memory of 1788	4720	cmd.exe	116
PID 4720 wrote to memory of 1788	4720	cmd.exe	116
PID 4572 wrote to memory of 2728	4572	cmd.exe	115
PID 4572 wrote to memory of 2728	4572	cmd.exe	115
PID 4572 wrote to memory of 2728	4572	cmd.exe	115
PID 1040 wrote to memory of 5084	1040	cmd.exe	114
PID 1040 wrote to memory of 5084	1040	cmd.exe	114
PID 1040 wrote to memory of 5084	1040	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\5b439f0679891477a6720337b94d12e8.exe
"C:\Users\Admin\AppData\Local\Temp\5b439f0679891477a6720337b94d12e8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun32.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun19.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun74.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun91.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe

Filesize
814KB

MD5
5e5f63cd0ca3ee94c61a2db20ce33fc9

SHA1
c90ea9645c7cc1ad7553675a7ecdf880b1fb4621

SHA256
219280ffebd3d771102fc3a7f26529e5e9161366e3a5de2f8943d81dda7756bf

SHA512
b36df698f1cbe52df754db9fcfba7e6811b6fc74f44a89378ce29356630f66a10d526402e9d133f8ab608bb614e2214945c0b732b4db3d0cad3d3665e062edcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun19.bat

Filesize
130B

MD5
9749362af66eb04abc7d18f857d770af

SHA1
157e6dcb88620f3260a3117f1571db7b1c70ba8a

SHA256
2a5353ed5694a34536145dcf811db213620750c2b652a0334c004805b362959b

SHA512
bc740cc890bc3506a8c2ac66adf8b0f24e81cd069c589b5b3f8fb9c83017ce614478a5261db9a1ce9d6a2a5977201fae44dfb0ff282b30bfb92ed25aa999a689

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun32.bat

Filesize
130B

MD5
c2051747849229e9a0ec40ae9e84d057

SHA1
9c566e0a4ed8febd7364a0c702fb8a714362557c

SHA256
bf228d23bc9cd90885950a34e39221a70a09d74dc85ccaadf8862cc66da7602e

SHA512
51e5a3aaeefb3c3abf03e47429514cc747e5fce04fa04e4c0d9d8533959c84c0a0d57567a7f0a2c9d210891a25310ba936ccf2085864d06763d31802cf1faabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun74.bat

Filesize
142B

MD5
d639bc0832331c473764e1ec371f6b1b

SHA1
6dc40e9d4162dd3137cefe927f936b01d2cb1022

SHA256
ce172de5a6f70c23316a575107066cc2d7800ccdc8e697fa042e2b788d5e0dee

SHA512
a6b4374510232bf363158cc59d19b1bda62910d928ecbb9f2512b02f41fcc832ba8024c425501529a24fc05682525bfdbd0d5dbe653973f56e2768a2bed2fb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun8.bat

Filesize
141B

MD5
6a874290cdec877d74b72242a092d953

SHA1
d579121b9a41401666ffe9013d1e85c7245bd02f

SHA256
7c68441a42a0f6015bc9a7e3e8561eabdf24cd0fc011080319995f319ba76013

SHA512
128aaef3e5015e34e75c935f3c850744b5e181e31f70291aaf02fd807b81633261a8005e893df6b2f3d27eeeac9b5800436db15f5e8849ed856a2aa72ac61a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun91.bat

Filesize
191B

MD5
5ab97efd33f56f35e53c395e52c6b477

SHA1
55df33d930a489db0902ee3d12d4baa27c901f76

SHA256
9b862cc69021e83c9a95dd8b3e17ae9131409a22c6aca3e70978ab01da5cdf06

SHA512
0763e46c11d84cdaa4037bc3d8a18d33ede06d37eb12414f8cdd047a95377b2a6627af0c5637afc41376e2fd32a495d9267e4203506097c4fdb6c3552fdaafe4

Download Submit
C:\Users\Admin\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
ff86e243cc991ced1d422ed2260200ee

SHA1
54b1a7b40ce591eec4890ad5b032c0877e0961cd

SHA256
d0d64d1e07d366467db840a04a441b50d357150b7a49edab14d01f712c1bc335

SHA512
df171e155aace592c39eed46198d1f5f2d40b8ca5c74892eba3b59b2a4f90ff0a2f6ed3ead2ae7fb2da2d61774a9f5008b0dfaa3792e910e2209c375e343d8f4

Download Submit
memory/4888-0-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4888-1-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download