Overview
overview
10Static
static
nizanmfts_fr/??.exe
windows7_x64
5nizanmfts_fr/??.exe
windows10-2004_x64
5nizanmfts_fr/????.url
windows7_x64
6nizanmfts_fr/????.url
windows10-2004_x64
6nizanmfts_...??.url
windows7_x64
6nizanmfts_...??.url
windows10-2004_x64
6nizanmfts_fr/load.dll
windows7_x64
10nizanmfts_fr/load.dll
windows10-2004_x64
10Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
nizanmfts_fr/??.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
nizanmfts_fr/??.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
nizanmfts_fr/????.url
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
nizanmfts_fr/????.url
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
nizanmfts_fr/??????.url
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
nizanmfts_fr/??????.url
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
nizanmfts_fr/load.dll
Resource
win7-20220414-en
General
-
Target
nizanmfts_fr/??.exe
-
Size
3.3MB
-
MD5
e1997a27641510d0700ccb7cbe11b530
-
SHA1
ff6f583f40494250acea810fdb3126356807645c
-
SHA256
dd76a68797960e242e385175fc16c0b291374bdd2fcc71a04fcdbc3b17cc86bf
-
SHA512
e54dd30c7e761680a12565a4ed74c70c5a82e93968444a4fc66b16491b1606743e9264a18c7a47ec57641c1b24b7353397859575a1bdddb00480778eaac0ea37
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
Processes:
__.exepid process 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe 3192 __.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2868 3192 WerFault.exe __.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
__.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS __.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer __.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
__.exepid process 3192 __.exe 3192 __.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nizanmfts_fr\__.exe"C:\Users\Admin\AppData\Local\Temp\nizanmfts_fr\__.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 12962⤵
- Program crash
PID:2868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3192 -ip 31921⤵PID:4036