010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe
Size

26KB
MD5

918a6b9b6dfc81bfe266130ad30b21ad
SHA1

aa0bd70c8291b5d76d001cb17e4cb3ea6129fe7e
SHA256

010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7
SHA512

995b973b5cb0603c201bc83ce496c08edfdeb12cd6b62350a409d87ea678808c909133b1387fbe511ac0ccd4fbbb14d1637d346f2eaa9e7c47030ae079bc7380
SSDEEP

768:qq3G3q83wdv7GLGS1R9TNoINEx9jnhwrw:Jkq83wdv7Gti

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Krnl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	Krnl32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe"	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Krnl32.exe"	Krnl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\cmdl32.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\cmstp.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\attrib.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\autochk.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\bitsadmin.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\Com\MigRegDB.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\compact.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\bootcfg.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\BackgroundTransferHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\ByteCodeGenerator.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\dvdplay.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\agentactivationruntimestarter.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\certutil.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\CredentialUIBroker.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\cscript.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	Krnl32.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\dplaysvr.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\Com\comrepl.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\comp.exe	Krnl32.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	Krnl32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\mirc\script.ini	Krnl32.exe
File opened for modification	C:\Program Files\mirc\ \.dcc send $nick	Krnl32.exe
File opened for modification	C:\Program Files\pirch98\pirch98.ini	Krnl32.exe
File opened for modification	C:\Program Files\pirch98\events.ini	Krnl32.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\CallingShellApp.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe	Krnl32.exe
File opened for modification	C:\Windows\bfsvc.exe	Krnl32.exe
File opened for modification	C:\Windows\explorer.exe	Krnl32.exe
File opened for modification	C:\Windows\hh.exe	Krnl32.exe
File opened for modification	C:\Windows\Speech\Common\sapisvr.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\CredDialogHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe	Krnl32.exe
File opened for modification	C:\Windows\HelpPane.exe	Krnl32.exe
File opened for modification	C:\Windows\splwow64.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\FilePicker.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WpcUapApp.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\NcsiUwpApp.exe	Krnl32.exe
File created	C:\Windows\hh.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\FileExplorer.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\PinningConfirmationDialog.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\XBox.TCUI.exe	Krnl32.exe
File opened for modification	C:\Windows\Boot\PCAT\memtest.exe	Krnl32.exe
File opened for modification	C:\Windows\servicing\TrustedInstaller.exe	Krnl32.exe
File opened for modification	C:\Windows\sysmon.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Microsoft.AsyncTextService.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\OOBENetworkCaptivePortal.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe	Krnl32.exe
File opened for modification	C:\Windows\notepad.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Microsoft.ECApp.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe	Krnl32.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe	Krnl32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000a6d83c555f8a6c83b1cc4394270828c38da9355e5533b3792f7da7f5a070f131000000000e8000000002000020000000d2a5725319f80ae86479f0e87d45db0a7ad15bc08d15dd48471b8007605be821200000009c5bbe91eda2dff9af3ceecbc24420d739368807e087d72cfb3514e33e25e45e40000000ef031cfefafa304e237b5b7b5c4174beca50c590e96a1fddfb6d6195ccb3c509434bcc96053327b5e40d80f9ffac94ddd7dbb392d742b3601b64d07d6d656d91	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0433e5305aeda01	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108613"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1360972622"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108613"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423339025"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1360660144"	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108613"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108613"	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000d175e64b2ae4b553b898b1f6d87a5a905fd5b73a241989f13bbd612951f84f80000000000e800000000200002000000097746a355a9c8cea27a4314c8bb8d745d24731b9736556001245e6ff0a5f3d42200000000ea185a457314a6a2853c374db837b1a74a6bb954966f7491cf719846c8ad233400000002d5d42c698fe353c26778357a301912278ec47f64ad1a920ba3ba09b31a8219ff57a745f031461e10899abc23c594a714343bc90d62b165a60388e13adc1f918	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1360660144"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1360972622"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0089395305aeda01	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7CA6F0CC-19F8-11EF-B865-423B00633FB2} = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	Iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4820	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2476	Iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2476	Iexplore.exe
2476	Iexplore.exe
764	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1000	2688	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe	83
PID 2688 wrote to memory of 1000	2688	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe	83
PID 2688 wrote to memory of 1000	2688	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe	83
PID 2688 wrote to memory of 4820	2688	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe	84
PID 2688 wrote to memory of 4820	2688	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe	84
PID 2688 wrote to memory of 4820	2688	010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe	84
PID 1000 wrote to memory of 2476	1000	Krnl32.exe	95
PID 1000 wrote to memory of 2476	1000	Krnl32.exe	95
PID 2476 wrote to memory of 764	2476	Iexplore.exe	96
PID 2476 wrote to memory of 764	2476	Iexplore.exe	96
PID 2476 wrote to memory of 764	2476	Iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe
"C:\Users\Admin\AppData\Local\Temp\010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\Krnl32.exe
  "C:\Users\Admin\AppData\Local\Temp\Krnl32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Program Files\Internet Explorer\Iexplore.exe
    "C:\Program Files\Internet Explorer\Iexplore.exe" http://wwp.icq.com/scripts/WWPMsg.dll?from=M4TrIx&fromemail=_&subject=MATRIX&body=THE%20MATRIX%20HAS%20COME...&to=90019603%20HTTP/1.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:764
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\HELPME.TXT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ba208409d758d248b5c43be99023d903

SHA1
e8ff44158a1a41784ff773aee0410fce08ffa85b

SHA256
90052b1f97e33e41422ee5bdf739a18a7c66b30c282ea309314b68bbc7c093c1

SHA512
a4c64d8f86d4e2533b7462a3ec5d072f059573d6937c9c4133b61ea14fdb691075a0c28f839d1a54cbc739477d3ef38995439d57308270ddbe670e5e40e5a27c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8b5c4e0e37fe32c03e258e7536124eb5

SHA1
64cd7881745d2300dede3e00cedf65070b90fa21

SHA256
c91871a6c1413323ab4c5ef51c51fb30c8c30e003c98f2c3bbb25b5a1e985570

SHA512
205b9329791b3e5dee905c2609c2f1f0b07e8fe202ba3a55a0f68779466b7533c03b8489912210ddd307d5e161ef51a451af55c1e67c3a83b731c06da82782ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1642.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zm934n9\imagestore.dat

Filesize
4KB

MD5
32d3f10595b13387eb94fac3fbe9bc87

SHA1
aa6ba1fe8fdfe7aae1caae79b37105e627e4e3a2

SHA256
07c6e435423a4b2f937afa5aa2e32edd92a32a877653053e5451a63fd6bd8fca

SHA512
a10e54ddf0b396fade631d57f55c2df4ff916ffe4d5738e80c34b8767c8299740b1b74a85849f72d78f2704134cd7f2dac389d48644de00923fd9535406c8353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9HVBWIRO\icon_web_60[1].png

Filesize
4KB

MD5
e9dbf6c742169ea700f8386bf639911b

SHA1
2fce93e1b217283c3d7c8ef275748ad69f840815

SHA256
3ce3371ecd679c4e218474046aa2a2ab067dbac5370b983aa8e7d91b208d816b

SHA512
2809218b84cda633e6c5c2e47d8d65c23c1ea05a88b5ee970c6bc6265223ef6e94f0d30605e1f15601ecdc68700eca299990314468a37109cac87b30c575d234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMMYN4JX\en[1].htm

Filesize
41KB

MD5
ee39185389dd344b465d52a2b00c24f4

SHA1
6391a8ec25edaf66de92720e113576892e92f149

SHA256
048b8193d25d826641ce4de886572d782f6b97da86e8c4549bc3fd5517ec8085

SHA512
e0897211866962072dfda695de412c58c424fea36787e39944decadd84029b2e9db58ae3107e1660a366e46cb8313bab114a36a0095031b474699fd184be6c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\HELPME.TXT

Filesize
67B

MD5
057798d389930107a381a2690141ac1d

SHA1
e44f1c2475c0f2323507e141dcae53ffef51c624

SHA256
5ba8c75f08589b808a6e16225ea565734aeeb23edc40894174d2d135f5e8d3d2

SHA512
98b40b6a11027974b482cb645718d34c8ee707ad01d6eba05acbf15a3b8d7c762afc08fef6513623fefe6e297d77a838fbb980d944a4a8e864356dfabac473e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krnl32.exe

Filesize
26KB

MD5
145a5b7214de87604328f3001b44ceff

SHA1
a6b6a25391cb90b6897337c2416c417fdc29890f

SHA256
90bd359735e86d5e47107a7a1aa2f4356e347d01565acb39e4c35ce1b50d8075

SHA512
9a74d74284ef8ca07e8215f3ceb7501666cda5a7d1d8a3baf70c92d9097a2157f979b976f2b0671a8663a61077341ac03ca8b845c06d82a51bfb9b6b031d7ee4

Download Submit
memory/1000-99-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-114-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-118-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-130-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-134-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2688-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2688-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads