81e4d24ec59cd886916988d34ee0ab0b451661552fba2569228b26ad20ec779f | Triage

Analysis

max time kernel
278s
max time network
279s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 21:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Secret Box.exe
Size

137KB
MD5

45d0fe3923b0f31ab15a196a5543114a
SHA1

9f9891b3c37e159450521efc426358251791290a
SHA256

81e4d24ec59cd886916988d34ee0ab0b451661552fba2569228b26ad20ec779f
SHA512

33ffb3c0fde10298e3e43311878719b32b3442e92c6cd4d49c05380f9d245182841ce518d0474945bfa58e004bf8127ac5ed8d081d295f1d7fb008fc3a17f0cf

Score

3^/10

Malware Config

Signatures

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\File Locker\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Secret Box.exe"	Secret Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\File Locker\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Secret Box.exe %1"	Secret Box.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker	Secret Box.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker\shell\open\command	Secret Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Secret Box.exe\" %1"	Secret Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\.aram\ = "File Locker"	Secret Box.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\.aram	Secret Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\File Locker	Secret Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\File Locker\Command	Secret Box.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker\DefaultIcon	Secret Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Secret Box.exe"	Secret Box.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker\shell	Secret Box.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\File Locker\shell\open	Secret Box.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3852	3684	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3852	WerFault.exe
Token: SeBackupPrivilege	3852	WerFault.exe
Token: SeDebugPrivilege	3852	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Secret Box.exe
"C:\Users\Admin\AppData\Local\Temp\Secret Box.exe"
1⤵
- Modifies registry class
PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1168
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3852-0-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3852-1-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3852-3-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3852-4-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download