Analysis
-
max time kernel
161s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
Release/TorrentParser-CLI.exe
Resource
win10v20201028
Errors
General
-
Target
Release/TorrentParser-CLI.exe
-
Size
8KB
-
MD5
8a2b9a6128c3c4a9701ed0504033dd58
-
SHA1
9d7b57c784f3f4aa7b700a115f52c086de19b74b
-
SHA256
6c738a8033611e29b67057b4401e5c8718998ad7caac94d4dfb0762275956652
-
SHA512
93e86b3edc47b93937a7158220efae4508e048d418c94472d6474c68673fed8379055251034d28aa664c88eb6fbec930da2d4721cd591d9e5958451490f62070
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
SystemSettings.exedescription pid process target process PID 1216 created 3020 1216 SystemSettings.exe Explorer.EXE -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exeSystemSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 SystemSettings.exe -
Modifies Control Panel 4 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\User Profile rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\User Profile rundll32.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
SystemSettings.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings SystemSettings.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
TorrentParser-CLI.exeSystemSettings.exeSystemSettings.exerundll32.exedescription pid process Token: SeDebugPrivilege 68 TorrentParser-CLI.exe Token: SeShutdownPrivilege 3264 SystemSettings.exe Token: SeCreatePagefilePrivilege 3264 SystemSettings.exe Token: SeShutdownPrivilege 3264 SystemSettings.exe Token: SeCreatePagefilePrivilege 3264 SystemSettings.exe Token: SeShutdownPrivilege 1216 SystemSettings.exe Token: SeCreatePagefilePrivilege 1216 SystemSettings.exe Token: SeShutdownPrivilege 1216 SystemSettings.exe Token: SeCreatePagefilePrivilege 1216 SystemSettings.exe Token: SeTakeOwnershipPrivilege 1216 SystemSettings.exe Token: SeRestorePrivilege 1216 SystemSettings.exe Token: SeShutdownPrivilege 3460 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
SystemSettings.exeSystemSettings.exepid process 3264 SystemSettings.exe 1216 SystemSettings.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
SystemSettings.exeSystemSettings.exepid process 3264 SystemSettings.exe 3264 SystemSettings.exe 1216 SystemSettings.exe 1216 SystemSettings.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
SystemSettings.exeSystemSettings.exeLogonUI.exepid process 3264 SystemSettings.exe 1216 SystemSettings.exe 2152 LogonUI.exe 2152 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SystemSettings.exedescription pid process target process PID 1216 wrote to memory of 4000 1216 SystemSettings.exe SystemSettingsAdminFlows.exe PID 1216 wrote to memory of 4000 1216 SystemSettings.exe SystemSettingsAdminFlows.exe PID 1216 wrote to memory of 4000 1216 SystemSettings.exe SystemSettingsAdminFlows.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Release\TorrentParser-CLI.exe"C:\Users\Admin\AppData\Local\Temp\Release\TorrentParser-CLI.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl2⤵
- Checks computer location settings
- Modifies Control Panel
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl2⤵
- Checks computer location settings
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad9055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-msMD5
4fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
memory/68-2-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/68-3-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/68-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/68-6-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/4000-8-0x0000000000000000-mapping.dmp