Analysis
-
max time kernel
150s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-03-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10v2004-en-20220113
General
-
Target
gunzipped.exe
-
Size
773KB
-
MD5
fd5a0326a71e89b2ff144ea336fac113
-
SHA1
aa6b046a0ed889b59cdb0ee9a957c4c6d542e233
-
SHA256
bda50ff249b947617d9551c717e78131ed32bf77db9dc5b7591d3e1af6cb2f1a
-
SHA512
51a75041b8fe9dab9cb51e28b39a497eff7ccb4c81311223ec92492cd3ddcfb6bc91ebf555f61a8b25423d81fd692920b44980ab306acb3b8451b633f297b800
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6 = "C:\\Users\\Admin\\AppData\\Roaming\\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6.exe" iexplore.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" gunzipped.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6 = "C:\\Users\\Admin\\AppData\\Roaming\\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6 = "C:\\Users\\Admin\\AppData\\Roaming\\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6.exe" iexplore.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4272 2096 WerFault.exe iexplore.exe 2308 3408 WerFault.exe iexplore.exe 4716 3408 WerFault.exe iexplore.exe 4284 3160 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 10 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exedescription pid process target process PID 1624 set thread context of 520 1624 gunzipped.exe gunzipped.exe PID 520 set thread context of 2276 520 gunzipped.exe iexplore.exe PID 2276 set thread context of 2992 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 4016 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 2096 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 3092 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 3408 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 3160 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 5060 2276 iexplore.exe iexplore.exe PID 2276 set thread context of 5108 2276 iexplore.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
gunzipped.exeiexplore.exeiexplore.exepid process 520 gunzipped.exe 520 gunzipped.exe 2992 iexplore.exe 2992 iexplore.exe 520 gunzipped.exe 520 gunzipped.exe 3092 iexplore.exe 3092 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 2276 iexplore.exe Token: SeDebugPrivilege 2992 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
gunzipped.exeiexplore.exepid process 520 gunzipped.exe 2276 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exedescription pid process target process PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 1624 wrote to memory of 520 1624 gunzipped.exe gunzipped.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 520 wrote to memory of 2276 520 gunzipped.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2992 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 4016 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 2096 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3092 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3408 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3160 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3160 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3160 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3160 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3160 2276 iexplore.exe iexplore.exe PID 2276 wrote to memory of 3160 2276 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey0.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey2.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey2.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1005⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2096 -ip 20961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3408 -ip 34081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3408 -ip 34081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3160 -ip 31601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey2.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey4.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/520-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/520-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1624-130-0x0000000000DC0000-0x0000000000E88000-memory.dmpFilesize
800KB
-
memory/1624-131-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/1624-132-0x0000000005890000-0x0000000005922000-memory.dmpFilesize
584KB
-
memory/1624-133-0x0000000075370000-0x0000000075B20000-memory.dmpFilesize
7.7MB
-
memory/1624-134-0x0000000005840000-0x000000000584A000-memory.dmpFilesize
40KB
-
memory/1624-135-0x0000000005790000-0x0000000005822000-memory.dmpFilesize
584KB
-
memory/1624-136-0x00000000095A0000-0x000000000963C000-memory.dmpFilesize
624KB