Analysis
-
max time kernel
76s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-04-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10v2004-20220414-en
General
-
Target
gunzipped.exe
-
Size
892KB
-
MD5
76ee7c7ec27ac1d8ac5b42ce1813b3f4
-
SHA1
5cf06e9981723e56996ed0a7c19f677ca0e1d187
-
SHA256
6068e249773f4636d788ac7793a6184c02d3107fdbdc9209b0ebe59761883189
-
SHA512
ff5a6b7daffdba0d05823b79c6251eeb82f6c43bf21dd65c558367e205a0753740e9dc823dbc9e74c798e62dd6aeee8b43e8a394fbebd71e814d174bb3e6e4ed
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0 = "C:\\Users\\Admin\\AppData\\Roaming\\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0.exe" iexplore.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" gunzipped.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0 = "C:\\Users\\Admin\\AppData\\Roaming\\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0 = "C:\\Users\\Admin\\AppData\\Roaming\\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1264 1900 WerFault.exe iexplore.exe 3040 2940 WerFault.exe iexplore.exe 4380 2940 WerFault.exe iexplore.exe 1212 3972 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 10 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exedescription pid process target process PID 4924 set thread context of 760 4924 gunzipped.exe gunzipped.exe PID 760 set thread context of 4188 760 gunzipped.exe iexplore.exe PID 4188 set thread context of 1900 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 1980 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 1636 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 3032 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 2940 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 4316 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 3972 4188 iexplore.exe iexplore.exe PID 4188 set thread context of 3564 4188 iexplore.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
gunzipped.exeiexplore.exeiexplore.exepid process 760 gunzipped.exe 760 gunzipped.exe 760 gunzipped.exe 760 gunzipped.exe 1980 iexplore.exe 1980 iexplore.exe 3032 iexplore.exe 3032 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 4188 iexplore.exe Token: SeDebugPrivilege 1980 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
gunzipped.exeiexplore.exepid process 760 gunzipped.exe 4188 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exedescription pid process target process PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 4924 wrote to memory of 760 4924 gunzipped.exe gunzipped.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 760 wrote to memory of 4188 760 gunzipped.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1900 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1980 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 1636 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 3032 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 2940 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe PID 4188 wrote to memory of 4316 4188 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr0.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr0.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr2.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 125⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 205⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1900 -ip 19001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2940 -ip 29401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2940 -ip 29401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3972 -ip 39721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr2.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr4.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/760-136-0x0000000000000000-mapping.dmp
-
memory/760-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/760-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/760-142-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4924-130-0x00000000007C0000-0x00000000008A6000-memory.dmpFilesize
920KB
-
memory/4924-131-0x0000000005720000-0x0000000005CC4000-memory.dmpFilesize
5.6MB
-
memory/4924-132-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4924-133-0x0000000005410000-0x000000000541A000-memory.dmpFilesize
40KB
-
memory/4924-134-0x0000000007450000-0x00000000074EC000-memory.dmpFilesize
624KB
-
memory/4924-135-0x0000000008F60000-0x0000000008FC6000-memory.dmpFilesize
408KB