eef0cbfc0d5831ca1ea715e87b495060e5712577a65c789a002f93f064d1d7d8

General

Target

װ.bat
Size

554B
MD5

46d8b059dab8f3fb4aa897c2c912e7be
SHA1

e3947171b6412965d5266a5c294c945fc6b0593c
SHA256

80c3de02a86db828a368edf69159ad42296bb9e36f7a6d57d79bd5de96f8b7ac
SHA512

a4e47b6e221db1fd0f891838fcec84878a6073a03bd19edfdfb1461d2a5d6adcccb4acbce198bd569cab7d4b397994ae88cbef90aec64fc03865378b7ff4923d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a92dc0fb99da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04637c0fb99da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa1cacc1b5bc1b46b672921b3ff780860000000002000000000010660000000100002000000035f7b02497248ed531723d1b68873edfe32622eee2de134628e20b2c12434ede000000000e80000000020000200000002ebbcfe6076c3a85b59c9dcce7055428c5c9df430da2364a052b6bf70b8de2bd20000000a3d83865d6f73c06ef3526510d319da5c5ff223db5a04f4b65aae499d1796746400000007c2bd7b349f042500acb405a0dfe9b8fb09918c78d28ad9ab14e35d8f2c7977b8583ba3875b995055d26ae85b788dc32935a326f3696ceab97efc3667f38ee1e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420532773"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa1cacc1b5bc1b46b672921b3ff78086000000000200000000001066000000010000200000007e91879c2ab934f5033c35a00b093992eb994db1cbe6de791743f5890c6c502e000000000e80000000020000200000004d9b0584c8e3fefef04543da53f51aeeefb942f1fecbed4f9d849524a372ce6d200000007c2a764ca0fd9825809e644e645b4a1ba82eceeeedb0c240a68f50bd5b9c16c8400000007be253089ccf19b0b4352bac2e15d00fc1791a3044840f94e7d3ad43e324971323d915e014f0a107116833e376fa5311d013997bd72d37d0c26086ba31b2a104	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DD5BDFEF-05EE-11EF-9107-4AD5DB239FB5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3364	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3364	iexplore.exe
3364	iexplore.exe
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3364	208	cmd.exe	87
PID 208 wrote to memory of 3364	208	cmd.exe	87
PID 3364 wrote to memory of 2264	3364	iexplore.exe	89
PID 3364 wrote to memory of 2264	3364	iexplore.exe	89
PID 3364 wrote to memory of 2264	3364	iexplore.exe	89

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\װ.bat"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.fxxz.com?bat
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3364 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\QQ╧┬╘╪-╫ε╨┬QQ╧┬╘╪-2008QQ╧┬╘╪-╠┌╤╢QQ╧┬╘╪.url

Filesize
125B

MD5
f9ee8b09cdcb1cc167fa8bebf1c83129

SHA1
19951e6c628760e97fcbdad9cde262c0a5973617

SHA256
a012824f7dd32c25056a35083ec4ac7fb7434f0568f0ab64ad77eb4acf12e453

SHA512
c7f3a64e2d5976f034ad2cda795243807db0a5377ef0434cae8e0fc933a7efa2414ec2d15506f7d63c372d46deb42ae2e24f65aea730aecf0d6787b4d08738c0

Download Submit

Analysis

Sharing