e88ebfe8ac396c0497f4721035a223db4d50132e2f2d2e83ca5893c35d095341

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ac49679720474f3fa68f27b9010f224.exe
Size

147KB
MD5

9ac49679720474f3fa68f27b9010f224
SHA1

8e179bd3986a11157270a009e2fc677422b451c0
SHA256

e88ebfe8ac396c0497f4721035a223db4d50132e2f2d2e83ca5893c35d095341
SHA512

81a6a8c990679669fcd363a6f2c368a4c0c92596fd17dd7e4a6c568fa54e9a7f52f1c3627e78513ef93a33a2c57714f56cf125ac90da88072b816ea48296ade7
SSDEEP

3072:GPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkOIEY:GPhaCEHpMGljt/RYkB

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Genuine Advantage = "C:\\Users\\Admin\\AppData\\Roaming\\wgatray.exe"	reg.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\removigbb\ImagePath = "\\??\\C:\\Win.sys"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\chkfrt.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4e92002c4a416439bca1d31c27b84050000000002000000000010660000000100002000000022c9745530c55057b77902096bd581e6219241516225d0ff4734bd34cd41ff1e000000000e80000000020000200000009acccf32dd5cec450f29ef45532a6fe3045ef6b7d3b19ab798784eafc0c3912d20000000891401d99507de322163fb2a363156713ab2a01061145f7b44015ef4728a7fd840000000139c9e99f7602f8a59fd42d5237da527ab9ecaccc1dac520e42d133309de78a618bffa1a3eacada0c773879ae8b5add8d44b6c5f7be18619669272622cc3f6f4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414650383"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA67A850-CAF2-11EE-BB4F-7672481B3261} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31088383"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31088383"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20988c80ff5eda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2132952079"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2128421182"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50857980ff5eda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4e92002c4a416439bca1d31c27b8405000000000200000000001066000000010000200000003e55dc6d7dc02349143a4adda4d54d4aeae7c0ee8fda384cb4704b51d079421b000000000e8000000002000020000000d3cdc03aba51da1f1fb44fcf0921d76a20b98495cdc8f086cf43735f4a2ea17820000000d160dc9a2d18f06726dcbf5e998bf4f6a46f243b4fd7de462b794d7e387ae4e24000000072bc744c79e0cc3930c7af4423e090a1117cfeadd3b978e27d54b342037122a27595e2f07b3a67ee1f401611740075a9ab6b937cbefd25110cd801e78f0c0fdf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2128421182"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31088383"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4620	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1432	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2984	iexplore.exe
2984	iexplore.exe
3996	IEXPLORE.EXE
3996	IEXPLORE.EXE
3996	IEXPLORE.EXE
3996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 5016	4240	9ac49679720474f3fa68f27b9010f224.exe	84
PID 4240 wrote to memory of 5016	4240	9ac49679720474f3fa68f27b9010f224.exe	84
PID 4240 wrote to memory of 5016	4240	9ac49679720474f3fa68f27b9010f224.exe	84
PID 5016 wrote to memory of 4620	5016	cmd.exe	86
PID 5016 wrote to memory of 4620	5016	cmd.exe	86
PID 5016 wrote to memory of 4620	5016	cmd.exe	86
PID 5016 wrote to memory of 3812	5016	cmd.exe	87
PID 5016 wrote to memory of 3812	5016	cmd.exe	87
PID 5016 wrote to memory of 3812	5016	cmd.exe	87
PID 5016 wrote to memory of 1448	5016	cmd.exe	88
PID 5016 wrote to memory of 1448	5016	cmd.exe	88
PID 5016 wrote to memory of 1448	5016	cmd.exe	88
PID 5016 wrote to memory of 4956	5016	cmd.exe	89
PID 5016 wrote to memory of 4956	5016	cmd.exe	89
PID 5016 wrote to memory of 4956	5016	cmd.exe	89
PID 5016 wrote to memory of 3140	5016	cmd.exe	90
PID 5016 wrote to memory of 3140	5016	cmd.exe	90
PID 5016 wrote to memory of 3140	5016	cmd.exe	90
PID 5016 wrote to memory of 2984	5016	cmd.exe	91
PID 5016 wrote to memory of 2984	5016	cmd.exe	91
PID 5016 wrote to memory of 1432	5016	cmd.exe	93
PID 5016 wrote to memory of 1432	5016	cmd.exe	93
PID 5016 wrote to memory of 1432	5016	cmd.exe	93
PID 5016 wrote to memory of 4980	5016	cmd.exe	94
PID 5016 wrote to memory of 4980	5016	cmd.exe	94
PID 5016 wrote to memory of 4980	5016	cmd.exe	94
PID 5016 wrote to memory of 2060	5016	cmd.exe	95
PID 5016 wrote to memory of 2060	5016	cmd.exe	95
PID 5016 wrote to memory of 2060	5016	cmd.exe	95
PID 2060 wrote to memory of 5040	2060	cmd.exe	96
PID 2060 wrote to memory of 5040	2060	cmd.exe	96
PID 2060 wrote to memory of 5040	2060	cmd.exe	96
PID 2984 wrote to memory of 3996	2984	iexplore.exe	97
PID 2984 wrote to memory of 3996	2984	iexplore.exe	97
PID 2984 wrote to memory of 3996	2984	iexplore.exe	97

C:\Users\Admin\AppData\Local\Temp\9ac49679720474f3fa68f27b9010f224.exe
"C:\Users\Admin\AppData\Local\Temp\9ac49679720474f3fa68f27b9010f224.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8552.bat
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\323.reg
    3⤵
    - Sets service image path in registry
    - Runs .reg file with regedit
    PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run" /v "Windows Genuine Advantage" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wgatray.exe"
    3⤵
    - Adds policy Run key to start application
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
    3⤵
    PID:3140
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "http://ver.lovezinho.com"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3996
- - C:\Windows\SysWOW64\PING.EXE
    C:\Windows\system32\ping.exe www.google.com -n 1 -l 1
    3⤵
    - Runs ping.exe
    PID:1432
- - C:\Windows\SysWOW64\find.exe
    find "TTL"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector" /v IE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector" /v IE
      4⤵
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
34a715b7eff98727a79196c12548166d

SHA1
d5e289b29da4499777553a8a18000554d3664059

SHA256
6b41a389423de69980de3d667fca2f72e5ce6224dcea62d765862d07e76f9f01

SHA512
62de58bac2f19abcfd8503f2b0abf64872a6354c140e020975d40fda1c975ed3ccc9f05a58ab45663c3eee52dbb5d6974aca6df78f7e60e780f5320622516860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
914f611634fc87d242e62fd2413712ff

SHA1
df436c229385f39960be48939a0314b956504e31

SHA256
57dfb0dd39bacb4760e3250763708416e3a078d8cc6f20c0dc35e599d7f29779

SHA512
8d2813ca9f634451d25a4b19085a535b6f15200a7cfb5eb7fa1d17f670fc9b03e66966ffd5232a045abcd832c09bb1052e9170b473ebff75acf72f9d0cac6e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GUTCV3OF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\323.reg

Filesize
1KB

MD5
10bc201c5d51010650443adc933e4166

SHA1
71676b93cf04961657e50fc1fe4bc20ee5ea6079

SHA256
9c67e59028ac82abc17381b92c143b3c4b4395c5b8ce80b4a9081139f5931af0

SHA512
b3f8b307805922f19aca687b3355c06cdb029615cb89ad6b1a6144dd0c364f2cc418ed95a94fdd741d51b4cc1bb4b75971756fffe2f87d26ae5e5e1d87dd8b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt8552.bat

Filesize
6KB

MD5
8147cbd0ddf1c7b8df78b7bcddd1c856

SHA1
91eb0f3b4e99e11d07271c34e5dbfccd0801c4a4

SHA256
9c691aad1fff084cf2b9b2fd2cb21cba238364f2f1352cbf141e5f53ccca1ce8

SHA512
827e1f75308f8a231cbad9481a527585125bc3f64760a56ed2648eef2c7fcd230c09472265f2aeffa3a0012aec29354c38d7d5e67bc4c5dbda1c5694c2987094

Download Submit
memory/4240-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads