Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-11-2021 10:54
Static task
static1
Behavioral task
behavioral1
Sample
d5438415ed71322922b70ac85ad02f64.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d5438415ed71322922b70ac85ad02f64.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
d5438415ed71322922b70ac85ad02f64.exe
-
Size
172KB
-
MD5
d5438415ed71322922b70ac85ad02f64
-
SHA1
832cfa96f5ff034db65707f6781752441beaf0aa
-
SHA256
3d7e2744ac50ae3ff7fcdbf97b4f70af8236ade6c3d2e82004f0641be304f83b
-
SHA512
7f12be61ddb39cd357f817cf1c47110128ae2d962e9c1fcb947f8f7ed6084db5a3607f3edda06680e3d078c50a754859511cb69c0adac01360b51cee54925b6c
Score
10/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe -
Processes:
d5438415ed71322922b70ac85ad02f64.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" d5438415ed71322922b70ac85ad02f64.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe -
Processes:
d5438415ed71322922b70ac85ad02f64.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5438415ed71322922b70ac85ad02f64.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d5438415ed71322922b70ac85ad02f64.exedescription pid process target process PID 3152 set thread context of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d5438415ed71322922b70ac85ad02f64.exepid process 3152 d5438415ed71322922b70ac85ad02f64.exe 3152 d5438415ed71322922b70ac85ad02f64.exe 3152 d5438415ed71322922b70ac85ad02f64.exe 3152 d5438415ed71322922b70ac85ad02f64.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iexplore.exedescription pid process Token: SeDebugPrivilege 2592 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d5438415ed71322922b70ac85ad02f64.exeiexplore.exepid process 3152 d5438415ed71322922b70ac85ad02f64.exe 2592 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d5438415ed71322922b70ac85ad02f64.exedescription pid process target process PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe PID 3152 wrote to memory of 2592 3152 d5438415ed71322922b70ac85ad02f64.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
d5438415ed71322922b70ac85ad02f64.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d5438415ed71322922b70ac85ad02f64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5438415ed71322922b70ac85ad02f64.exe"C:\Users\Admin\AppData\Local\Temp\d5438415ed71322922b70ac85ad02f64.exe"1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\d5438415ed71322922b70ac85ad02f64.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx