Malware Analysis Report

2024-10-24 18:39

Sample ID 210820-cnfpwecy2s
Target cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
SHA256 cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

Threat Level: Shows suspicious behavior

The file cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-20 08:25

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-20 08:25

Reported

2021-08-20 08:29

Platform

win7v20210410

Max time kernel

13s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 1816 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 1816 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 1816 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 1816 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 1348 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1348 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1348 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1348 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"

C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 328

Network

N/A

Files

memory/1816-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdB50E.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

memory/1348-62-0x000000000040EB61-mapping.dmp

memory/780-64-0x0000000000000000-mapping.dmp

memory/1348-68-0x0000000001EC6000-0x0000000001EC7000-memory.dmp

memory/1348-67-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/1348-66-0x0000000001EB5000-0x0000000001EC6000-memory.dmp

memory/1348-65-0x0000000000400000-0x0000000000414000-memory.dmp

memory/780-69-0x0000000000420000-0x0000000000421000-memory.dmp