Analysis Overview
SHA256
cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
Threat Level: Shows suspicious behavior
The file cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-20 08:25
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-20 08:25
Reported
2021-08-20 08:29
Platform
win7v20210410
Max time kernel
13s
Max time network
49s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1816 set thread context of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"
C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 328
Network
Files
memory/1816-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsdB50E.tmp\System.dll
| MD5 | fccff8cb7a1067e23fd2e2b63971a8e1 |
| SHA1 | 30e2a9e137c1223a78a0f7b0bf96a1c361976d91 |
| SHA256 | 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e |
| SHA512 | f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c |
memory/1348-62-0x000000000040EB61-mapping.dmp
memory/780-64-0x0000000000000000-mapping.dmp
memory/1348-68-0x0000000001EC6000-0x0000000001EC7000-memory.dmp
memory/1348-67-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
memory/1348-66-0x0000000001EB5000-0x0000000001EC6000-memory.dmp
memory/1348-65-0x0000000000400000-0x0000000000414000-memory.dmp
memory/780-69-0x0000000000420000-0x0000000000421000-memory.dmp