Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 21:29
Static task
static1
Behavioral task
behavioral1
Sample
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
Resource
win10v2004-20220414-en
General
-
Target
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
-
Size
584KB
-
MD5
171569a4ca58064919c3d9e9cffcd1d0
-
SHA1
754db0cdffc636d95ee6a12d19a045bc95d9444c
-
SHA256
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30
-
SHA512
fb08c20a852663129aeb5e50d4e1c9e63d0a084a27cc81d60a79525f996bbcc25f04859b7c381f01f3c266e14a12e03b1c5b1efbd3affeb5b348c1d32075b151
Malware Config
Signatures
-
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe -
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331 = "C:\\Users\\Admin\\AppData\\Roaming\\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331\\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331.exe" iexplore.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1732 notepad.exe -
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331 = "C:\\Users\\Admin\\AppData\\Roaming\\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331\\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331 = "C:\\Users\\Admin\\AppData\\Roaming\\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331\\O6F008P6-Y2C0-M8X2-S888-B1Y5L7K7Q331.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exedescription pid process target process PID 560 set thread context of 2016 560 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe PID 2016 set thread context of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exepid process 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iexplore.exedescription pid process Token: SeDebugPrivilege 2000 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exeiexplore.exepid process 560 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 2000 iexplore.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exeiexplore.exedescription pid process target process PID 560 wrote to memory of 2016 560 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe PID 560 wrote to memory of 2016 560 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe PID 560 wrote to memory of 2016 560 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe PID 560 wrote to memory of 2016 560 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2016 wrote to memory of 2000 2016 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe iexplore.exe PID 2000 wrote to memory of 1732 2000 iexplore.exe notepad.exe PID 2000 wrote to memory of 1732 2000 iexplore.exe notepad.exe PID 2000 wrote to memory of 1732 2000 iexplore.exe notepad.exe PID 2000 wrote to memory of 1732 2000 iexplore.exe notepad.exe PID 2000 wrote to memory of 1732 2000 iexplore.exe notepad.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe"C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exeC:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe"2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-56-0x0000000000270000-0x0000000000277000-memory.dmpFilesize
28KB
-
memory/560-57-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/560-59-0x0000000000270000-0x0000000000277000-memory.dmpFilesize
28KB
-
memory/560-60-0x0000000077170000-0x0000000077319000-memory.dmpFilesize
1.7MB
-
memory/560-61-0x0000000077350000-0x00000000774D0000-memory.dmpFilesize
1.5MB
-
memory/1732-71-0x0000000000000000-mapping.dmp
-
memory/2016-63-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2016-64-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2016-69-0x0000000077170000-0x0000000077319000-memory.dmpFilesize
1.7MB
-
memory/2016-70-0x0000000077350000-0x00000000774D0000-memory.dmpFilesize
1.5MB
-
memory/2016-58-0x000000000047C36D-mapping.dmp
-
memory/2016-73-0x00000000002A0000-0x00000000002A7000-memory.dmpFilesize
28KB
-
memory/2016-74-0x0000000077350000-0x00000000774D0000-memory.dmpFilesize
1.5MB