Analysis
-
max time kernel
150s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
Resource
win10v2004-20220414-en
General
-
Target
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
-
Size
792KB
-
MD5
322b2bfde9f2f3d691b4fc1526182305
-
SHA1
99bf7caed11dee1bf41bd039634af9d1468e8f69
-
SHA256
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353
-
SHA512
6fb915635d37375fd08aa854fb5a1e85ca9bdb6b7a7f5972bf0ea8e677dd24f6128003635626bb0036ef62f04afae7296230cac38adea880a7fa537d694cb132
Malware Config
Signatures
-
Processes:
Nonpresidential4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nonpresidential4.exe -
Processes:
Nonpresidential4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Nonpresidential4.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2 = "C:\\Users\\Admin\\AppData\\Roaming\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2.exe" iexplore.exe -
Executes dropped EXE 2 IoCs
Processes:
Nonpresidential4.exeNonpresidential4.exepid process 1692 Nonpresidential4.exe 1856 Nonpresidential4.exe -
Loads dropped DLL 3 IoCs
Processes:
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exeNonpresidential4.exepid process 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe 1692 Nonpresidential4.exe -
Processes:
Nonpresidential4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Nonpresidential4.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2 = "C:\\Users\\Admin\\AppData\\Roaming\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2 = "C:\\Users\\Admin\\AppData\\Roaming\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2.exe" iexplore.exe -
Processes:
Nonpresidential4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nonpresidential4.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Nonpresidential4.exeNonpresidential4.exedescription pid process target process PID 1692 set thread context of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1856 set thread context of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 set thread context of 900 1856 Nonpresidential4.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Nonpresidential4.exepid process 1856 Nonpresidential4.exe 1856 Nonpresidential4.exe 1856 Nonpresidential4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iexplore.exedescription pid process Token: SeDebugPrivilege 900 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exeNonpresidential4.exeNonpresidential4.exeiexplore.exepid process 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe 1692 Nonpresidential4.exe 1856 Nonpresidential4.exe 900 iexplore.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exeNonpresidential4.exeNonpresidential4.exedescription pid process target process PID 1472 wrote to memory of 840 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe mshta.exe PID 1472 wrote to memory of 840 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe mshta.exe PID 1472 wrote to memory of 840 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe mshta.exe PID 1472 wrote to memory of 840 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe mshta.exe PID 1472 wrote to memory of 1692 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe Nonpresidential4.exe PID 1472 wrote to memory of 1692 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe Nonpresidential4.exe PID 1472 wrote to memory of 1692 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe Nonpresidential4.exe PID 1472 wrote to memory of 1692 1472 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1692 wrote to memory of 1856 1692 Nonpresidential4.exe Nonpresidential4.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 940 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe PID 1856 wrote to memory of 900 1856 Nonpresidential4.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Nonpresidential4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nonpresidential4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe"C:\Users\Admin\AppData\Local\Temp\962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\:\Run\FORRENT"" : myKey = ""HKCU\Software\Microsoft\Windows\X\Run\NOME"" : myKey=replace(myKey,"":"",""CurrentVersion"") : WshShell.RegWrite myKey,""C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"",""REG_SZ"" : window.close")2⤵
- Modifies Internet Explorer settings
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1856 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe4⤵PID:940
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe4⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
792KB
MD51bb033c5e2b4a4bb05987306d78e0438
SHA14208031de927ba66e730a55236ec3750ad59c589
SHA2565fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28
SHA512c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd
-
Filesize
792KB
MD51bb033c5e2b4a4bb05987306d78e0438
SHA14208031de927ba66e730a55236ec3750ad59c589
SHA2565fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28
SHA512c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd
-
Filesize
792KB
MD51bb033c5e2b4a4bb05987306d78e0438
SHA14208031de927ba66e730a55236ec3750ad59c589
SHA2565fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28
SHA512c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd
-
Filesize
792KB
MD51bb033c5e2b4a4bb05987306d78e0438
SHA14208031de927ba66e730a55236ec3750ad59c589
SHA2565fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28
SHA512c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd
-
Filesize
792KB
MD51bb033c5e2b4a4bb05987306d78e0438
SHA14208031de927ba66e730a55236ec3750ad59c589
SHA2565fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28
SHA512c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd
-
Filesize
792KB
MD51bb033c5e2b4a4bb05987306d78e0438
SHA14208031de927ba66e730a55236ec3750ad59c589
SHA2565fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28
SHA512c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd