Analysis
-
max time kernel
85s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
10/07/2020, 22:52
Static task
static1
Behavioral task
behavioral1
Sample
http://192.3.31.220/Advfgmw.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
http://192.3.31.220/Advfgmw.exe
-
Sample
200710-4efaa24286
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1928 Advfgmw.exe -
Checks whether UAC is enabled 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000c7442a2142adc3b231bc7fc131600e8b41cf8112d716ab350a78b30e7a1614cd000000000e800000000200002000000006142c41e53adaf00ded67f6790340297a0eafc8c324f9ce6ea3d2ebb8ee8ac9200000005dde307e0fdefc07910a5345faf8cd234d21f848cccaae2870a5448480a980cb40000000be99a916af336430ce4ca8b731a12582703c690ced77df8d03d3272afc918db50618a4724419921683ddf71393497ebda57c5cb4d6b80c8bd32717a9d30edbdd iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708dc5e20c57d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{DAC98300-C1AD-46D2-8A2A-29B9A0A70C49}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3794389524" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824204" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3794389524" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8061bee20c57d601 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824204" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3800796735" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824204" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DA93AF1-C300-11EA-95F0-CA80A045A15A} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b4679a610d44d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000006f90fae70be6202902d572e06adb206626142d9a21fa2b75d5c0a4d0c342f866000000000e8000000002000020000000cf75daf20b66d9642d7dce36ccdc6eb182ee898550d69e08159774ccb91a513f2000000004862ae04f48760562645646de3fbcdcfee5c02ae1f0cd52f62495ca78308648400000001be244dd2ab924f711131ff9d81c9f30ba3445075fda4adafbd6135b76926d688068ac5effb729a4fb3afc5687603d2a03915419c36583ab61cd2f4cf8f09b60 iexplore.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Advf = "C:\\Users\\Admin\\AppData\\Local\\Advf\\Advf.hta" Advfgmw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3812 3588 iexplore.exe 67 PID 3588 wrote to memory of 3812 3588 iexplore.exe 67 PID 3588 wrote to memory of 3812 3588 iexplore.exe 67 PID 3588 wrote to memory of 1928 3588 iexplore.exe 68 PID 3588 wrote to memory of 1928 3588 iexplore.exe 68 PID 3588 wrote to memory of 1928 3588 iexplore.exe 68 PID 1928 wrote to memory of 2968 1928 Advfgmw.exe 70 PID 1928 wrote to memory of 2968 1928 Advfgmw.exe 70 PID 1928 wrote to memory of 2968 1928 Advfgmw.exe 70 -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3588 iexplore.exe 3588 iexplore.exe 3812 IEXPLORE.EXE 3812 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3588 iexplore.exe 3588 iexplore.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://192.3.31.220/Advfgmw.exe1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:3588 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3588 CREDAT:82945 /prefetch:22⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3812
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\Advfgmw.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\Advfgmw.exe"2⤵
- Executes dropped EXE
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵PID:2968
-
-