Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 17:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe
Resource
win7-20240319-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe
-
Size
80KB
-
MD5
44d5751464a4e0ae855ad82c87bdbcf3
-
SHA1
fd7835fca8e86e42cfe5fe2aab99e320fd90fd1f
-
SHA256
0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b
-
SHA512
b94de8b5debfa6bb0917301f127eb47b783252c6ea9e8b10a5c9be33e4720ff39b8d7c346edcfa556685b9199071e6cf93408143e91e55b7a59fe23589e3d23a
-
SSDEEP
1536:wasQx7dBLwhrkISRd2u+nlB2p8yBVejX1eYS:wa4kvd2uA/A7BVejXMYS
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation WgaDisp.exe -
Executes dropped EXE 1 IoCs
pid Process 4292 WgaDisp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\_WGA = "C:\\Windows\\WgaDisp.exe" 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\WgaDisp.exe 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1681296942" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1691766380" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31096738" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31096738" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a782000000000200000000001066000000010000200000009af5c1dd9d58cbd3e22dba48048f08b2eb8e7d7f2e2824f209dd6b5606a99711000000000e8000000002000020000000ca6622dbf65dc46c39b92f8b226e768822c21b48ac91b9d23823530a9d94c52c20000000fa2bdc17a0f8a90bacf77d2ee75d81680e5eca9130ca2930e05390c66e67035140000000497a47a82ca8adcbe62afacc5ce22a3cce2c2c5df2fe2ac1de9c88ae4bff550d81d573f298f8b39c7b0ed65c95e60d80054a86a8bbc7eadc4b4d5d20c518892c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b17a65a27fda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1681296942" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418238785" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8FC5D9DC-EB95-11EE-B49E-D28C415B03FA} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a782000000000200000000001066000000010000200000009f04f93f6e01a54ededf3be04b9b4a80f6f02f6fd32886f203e6a03eb609d7e2000000000e8000000002000020000000ff30cc6d7245616db80932920d8c3e6634c781159bfdbf53b2ca447cc14a8173200000003eed2a65e5cec6c4adace3cf14adf650decaff575b38931983b7fabb96ec0b7d400000005233156a0fc94464fe7d69753e2f9310cd84b0ce7ee9a8eac348bcf652fce4e556ae9c0433e6d7b388ef69e7d01d5eb5a09285726d0c99cdb1f5194f52f504c5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70285e65a27fda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31096738" IEXPLORE.EXE -
Suspicious behavior: LoadsDriver 22 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4608 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4608 iexplore.exe 4608 iexplore.exe 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3896 wrote to memory of 4608 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 89 PID 3896 wrote to memory of 4608 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 89 PID 3896 wrote to memory of 4292 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 90 PID 3896 wrote to memory of 4292 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 90 PID 3896 wrote to memory of 4292 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 90 PID 3896 wrote to memory of 1820 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 91 PID 3896 wrote to memory of 1820 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 91 PID 3896 wrote to memory of 1820 3896 0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe 91 PID 4292 wrote to memory of 1624 4292 WgaDisp.exe 93 PID 4292 wrote to memory of 1624 4292 WgaDisp.exe 93 PID 4608 wrote to memory of 3980 4608 iexplore.exe 94 PID 4608 wrote to memory of 3980 4608 iexplore.exe 94 PID 4608 wrote to memory of 3980 4608 iexplore.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe"C:\Users\Admin\AppData\Local\Temp\0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.thesexsquare.com/2/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4608 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
-
C:\Windows\WgaDisp.exe"C:\Windows\WgaDisp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.thesexsquare.com/2/3⤵
- Modifies Internet Explorer settings
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_DelItB.bat" "2⤵PID:1820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
295B
MD505d610fff4751625d8f762d7d96da79d
SHA1c8fed18665f61b36351999e1de285d6a09c4658f
SHA256751ff766033568248fa1525020a17bef434191f0095b5cf33e6795ff76afad7f
SHA512de6c181960a500ab505cbc4fa9a1afa6795b76cf8d78022c19b6fe1436b3b7e17cb46e856eae1413b7dc3a73d7408a8e1448b66f2ae924f79f45d6d064e679aa
-
Filesize
80KB
MD53a1d1feb1676d050e8bdf8169be41735
SHA11bb2981d4c1ecc56d7c6f49d0e5d84ab480d60a7
SHA25646e44352b4f5113567a241504b404d2115ba2b7c0b2b28d2675fd26f35378608
SHA5120c9bb61252f5701828a677513bf9f382bbffe2b5ef1236eef3e7257775e5fd0e5dca50e70c1f6907daf6569f52a252bf826f67f8f3bd6e4960bdf9822ba2e17e