92fceb949c5b1c34aa19377b103439c44a8f61ea4db43173883262ddcd71a5b8

Analysis

max time kernel
92s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7743e85e4aab9c595053d4a605887cfe.exe
Size

45KB
MD5

7743e85e4aab9c595053d4a605887cfe
SHA1

91c318d180aef4abae035cf5d11705d307caf4d2
SHA256

92fceb949c5b1c34aa19377b103439c44a8f61ea4db43173883262ddcd71a5b8
SHA512

4a1112def84d26c4f42b40d46256f2b9bba2e60ace6f7da2e73f38234b539ed9901c8856bc70556a1fa741c44aede6088cb771a9a7eb3c0f2f2949da5c0cb82e
SSDEEP

768:y3J3kyPnf7zO23G43LLc/2vYPif9Ia3gn+hpJqOcsMVKFGARS+igNz:y3J3ka3/XEfif9PJT1F7FG2S+igNz

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3032	7743e85e4aab9c595053d4a605887cfe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winfkx32.rom,yPxRun"	7743e85e4aab9c595053d4a605887cfe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winfkx32.rom	7743e85e4aab9c595053d4a605887cfe.exe
File opened for modification	C:\Windows\SysWOW64\winfkx32.rom	7743e85e4aab9c595053d4a605887cfe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31084620"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3053884359"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084620"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1911D57-BC3F-11EE-BD28-4EA1437444E8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3054978352"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084620"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31084620"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3053884359"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413034279"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3054978352"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2756	iexplore.exe
2756	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3720	3032	7743e85e4aab9c595053d4a605887cfe.exe	85
PID 3032 wrote to memory of 3720	3032	7743e85e4aab9c595053d4a605887cfe.exe	85
PID 3032 wrote to memory of 3720	3032	7743e85e4aab9c595053d4a605887cfe.exe	85
PID 3720 wrote to memory of 2756	3720	cmd.exe	88
PID 3720 wrote to memory of 2756	3720	cmd.exe	88
PID 2756 wrote to memory of 2576	2756	iexplore.exe	92
PID 2756 wrote to memory of 2576	2756	iexplore.exe	92
PID 2756 wrote to memory of 2576	2756	iexplore.exe	92
PID 3032 wrote to memory of 2756	3032	7743e85e4aab9c595053d4a605887cfe.exe	88
PID 3032 wrote to memory of 2756	3032	7743e85e4aab9c595053d4a605887cfe.exe	88
PID 3032 wrote to memory of 2756	3032	7743e85e4aab9c595053d4a605887cfe.exe	88
PID 3032 wrote to memory of 2756	3032	7743e85e4aab9c595053d4a605887cfe.exe	88
PID 3032 wrote to memory of 1072	3032	7743e85e4aab9c595053d4a605887cfe.exe	97
PID 3032 wrote to memory of 1072	3032	7743e85e4aab9c595053d4a605887cfe.exe	97
PID 3032 wrote to memory of 1072	3032	7743e85e4aab9c595053d4a605887cfe.exe	97
PID 3032 wrote to memory of 2188	3032	7743e85e4aab9c595053d4a605887cfe.exe	98
PID 3032 wrote to memory of 2188	3032	7743e85e4aab9c595053d4a605887cfe.exe	98
PID 3032 wrote to memory of 2188	3032	7743e85e4aab9c595053d4a605887cfe.exe	98

C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.exe
"C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\twe4DC2.bat"
  2⤵
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.bat"
  2⤵
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
b610bd5c61e2121914699e4b6cb9f7f4

SHA1
514f5ad7770f18e1c5b62253d95d6aa3c63c83ee

SHA256
3a418958f81aae04aa13719238c42d24adc5258b95246b3df0b32a1bf7676b51

SHA512
9ebb50a5b4942dfbf1a037e8a1b6308502d5bd337abaf90cca0d44f3a88001b25c6f82787f13b2d5a6f2bcb81209f831c16422d4c1a6cb6e07d55e8dccd7b3b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
6876a3f28eed8f3947f4a5a7b8de3899

SHA1
73620dd6f8ed6990fe5b93594dd8ecc0813d1c6e

SHA256
9204ccdaec27d909abca89bf69c0e5c5e52f2360b93fcfb1a9cfdc8607a39e0f

SHA512
5683c994e058693638fba3f53a5e3aebeffb73442f7a9e730c246d55efe3aac3159a2e885a07b6004f1a0383e72eb1fbe13af2e9d3b44fc26da725455150279f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC6F9.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.bat

Filesize
263B

MD5
2468b86b10f8b8e753fc7e0437c06b22

SHA1
0252da17bac8d7c61b91d9da6f8f32efa6e986aa

SHA256
d5e6ac8863d1647ef2a6848bad1d6794991803b818c3b54a8aa00dab2e333788

SHA512
20dea88fc5968395c7993fd32f04234b9c06cb90976e4fcdfaaf4770da5ba7f7892aaf7f21e1dcbf2df765cb7cbaa835f0baacd07b0d1d6a0960b1e1baa4c74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\twe4DC2.bat

Filesize
188B

MD5
05818711ab5306071c0e805a85d7479b

SHA1
5de5b0b9e1e0db62b189f1f20eb7900e1e0a4d9d

SHA256
9ee61ff198baf4e86c989c73017240c839b84213cd3bdd2434bf70454a0381ab

SHA512
9ffeab99ead852e16df3033005661fe535c80bc37ffc963e46a3472c4368579e5f5f07d96fdbbe1fccfd53522a3cccba7bbca1d9e0d8fb1a7ed5bfad3cfa106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\twe4DC2.tmp

Filesize
32KB

MD5
7ac9acb5469776c2f03d943037d47298

SHA1
8f8838c3da0df25c95c6fb50205c427d2afc7543

SHA256
16a9514b509206e55689a8bd6a1edae52987efc8459a021d5cec3b5c54946b15

SHA512
51b168d05103e9439e920e6b1c9b5b817e3e7255b7d18b89d88140311fa9313240037f1449c908c512b5c0b105581895b31a6182f60ced2d6ad396fb67502d3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads