Analysis
-
max time kernel
144s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 11:42
Static task
static1
Behavioral task
behavioral1
Sample
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe
Resource
win7-20220414-en
General
-
Target
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe
-
Size
676KB
-
MD5
8d2bedd39ea94e7fc099b5bf489eb37a
-
SHA1
fa80956af1e01ef7c0ab1bd984a3da58af64b8a8
-
SHA256
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a
-
SHA512
c9cc02ef277910b51b36505a47d93feeac8d5fbb31c766df547a460c120e0d88863d28a134a423540f96e41066f8f8558b5b2401163c272db892709c8951202a
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
my_pc.exemy_pc.exepid process 4196 my_pc.exe 4468 my_pc.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
my_pc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\53c39moyi.exe my_pc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\53c39moyi.exe\DisableExceptionChainValidation my_pc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "dwugitqzq.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe -
Loads dropped DLL 1 IoCs
Processes:
my_pc.exepid process 4196 my_pc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\53c39moyi.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\53c39moyi.exe\"" explorer.exe -
Processes:
my_pc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA my_pc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
my_pc.exeexplorer.exepid process 4468 my_pc.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
my_pc.exedescription pid process target process PID 4196 set thread context of 4468 4196 my_pc.exe my_pc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\my_pc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\my_pc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\my_pc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\my_pc.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\my_pc.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\my_pc.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
my_pc.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 my_pc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString my_pc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exeexplorer.exepid process 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
my_pc.exemy_pc.exepid process 4196 my_pc.exe 4468 my_pc.exe 4468 my_pc.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exemy_pc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe Token: SeDebugPrivilege 4468 my_pc.exe Token: SeRestorePrivilege 4468 my_pc.exe Token: SeBackupPrivilege 4468 my_pc.exe Token: SeLoadDriverPrivilege 4468 my_pc.exe Token: SeCreatePagefilePrivilege 4468 my_pc.exe Token: SeShutdownPrivilege 4468 my_pc.exe Token: SeTakeOwnershipPrivilege 4468 my_pc.exe Token: SeChangeNotifyPrivilege 4468 my_pc.exe Token: SeCreateTokenPrivilege 4468 my_pc.exe Token: SeMachineAccountPrivilege 4468 my_pc.exe Token: SeSecurityPrivilege 4468 my_pc.exe Token: SeAssignPrimaryTokenPrivilege 4468 my_pc.exe Token: SeCreateGlobalPrivilege 4468 my_pc.exe Token: 33 4468 my_pc.exe Token: SeDebugPrivilege 2168 explorer.exe Token: SeRestorePrivilege 2168 explorer.exe Token: SeBackupPrivilege 2168 explorer.exe Token: SeLoadDriverPrivilege 2168 explorer.exe Token: SeCreatePagefilePrivilege 2168 explorer.exe Token: SeShutdownPrivilege 2168 explorer.exe Token: SeTakeOwnershipPrivilege 2168 explorer.exe Token: SeChangeNotifyPrivilege 2168 explorer.exe Token: SeCreateTokenPrivilege 2168 explorer.exe Token: SeMachineAccountPrivilege 2168 explorer.exe Token: SeSecurityPrivilege 2168 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2168 explorer.exe Token: SeCreateGlobalPrivilege 2168 explorer.exe Token: 33 2168 explorer.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.execmd.exemy_pc.exemy_pc.exedescription pid process target process PID 3232 wrote to memory of 4196 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe my_pc.exe PID 3232 wrote to memory of 4196 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe my_pc.exe PID 3232 wrote to memory of 4196 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe my_pc.exe PID 3232 wrote to memory of 3428 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe cmd.exe PID 3232 wrote to memory of 3428 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe cmd.exe PID 3232 wrote to memory of 3428 3232 458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe cmd.exe PID 3428 wrote to memory of 3432 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3432 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3432 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3000 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3000 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 3000 3428 cmd.exe PING.EXE PID 4196 wrote to memory of 4468 4196 my_pc.exe my_pc.exe PID 4196 wrote to memory of 4468 4196 my_pc.exe my_pc.exe PID 4196 wrote to memory of 4468 4196 my_pc.exe my_pc.exe PID 4196 wrote to memory of 4468 4196 my_pc.exe my_pc.exe PID 4468 wrote to memory of 2168 4468 my_pc.exe explorer.exe PID 4468 wrote to memory of 2168 4468 my_pc.exe explorer.exe PID 4468 wrote to memory of 2168 4468 my_pc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\my_pc.exe"C:\Users\Admin\AppData\Local\Temp\my_pc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\my_pc.exe"C:\Users\Admin\AppData\Local\Temp\my_pc.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 9003⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\my_pc.exeFilesize
429KB
MD5e00e9b1d21625f31c4fb4daaf03fdea7
SHA1750217a7a0c887bdec4b674d74d1509cb156aa2f
SHA256de1d6d75c83bb57e59dbd2100492887c04cfbe80ecf25630b78591d4a5c12708
SHA512acac51d87f55562e11f735c722235cc1acb01bfc144c9900c5b38a875ef0f262892afdf1dd4b439fdcb3af583e31ab75267ff9c307f44acbf4dbe2fafa443e57
-
C:\Users\Admin\AppData\Local\Temp\my_pc.exeFilesize
429KB
MD5e00e9b1d21625f31c4fb4daaf03fdea7
SHA1750217a7a0c887bdec4b674d74d1509cb156aa2f
SHA256de1d6d75c83bb57e59dbd2100492887c04cfbe80ecf25630b78591d4a5c12708
SHA512acac51d87f55562e11f735c722235cc1acb01bfc144c9900c5b38a875ef0f262892afdf1dd4b439fdcb3af583e31ab75267ff9c307f44acbf4dbe2fafa443e57
-
C:\Users\Admin\AppData\Local\Temp\my_pc.exeFilesize
429KB
MD5e00e9b1d21625f31c4fb4daaf03fdea7
SHA1750217a7a0c887bdec4b674d74d1509cb156aa2f
SHA256de1d6d75c83bb57e59dbd2100492887c04cfbe80ecf25630b78591d4a5c12708
SHA512acac51d87f55562e11f735c722235cc1acb01bfc144c9900c5b38a875ef0f262892afdf1dd4b439fdcb3af583e31ab75267ff9c307f44acbf4dbe2fafa443e57
-
C:\Users\Admin\AppData\Local\Temp\nszEC99.tmp\System.dllFilesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
memory/2168-155-0x0000000000800000-0x00000000008D5000-memory.dmpFilesize
852KB
-
memory/2168-146-0x0000000000000000-mapping.dmp
-
memory/2168-153-0x0000000000800000-0x00000000008D5000-memory.dmpFilesize
852KB
-
memory/2168-154-0x0000000000800000-0x00000000008D5000-memory.dmpFilesize
852KB
-
memory/2168-152-0x0000000000060000-0x0000000000493000-memory.dmpFilesize
4.2MB
-
memory/3000-137-0x0000000000000000-mapping.dmp
-
memory/3232-130-0x0000000004B70000-0x0000000005114000-memory.dmpFilesize
5.6MB
-
memory/3428-133-0x0000000000000000-mapping.dmp
-
memory/3432-136-0x0000000000000000-mapping.dmp
-
memory/4196-138-0x00000000022F0000-0x0000000002327000-memory.dmpFilesize
220KB
-
memory/4196-141-0x00000000022F0000-0x0000000002327000-memory.dmpFilesize
220KB
-
memory/4196-131-0x0000000000000000-mapping.dmp
-
memory/4468-142-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4468-148-0x0000000000830000-0x000000000083D000-memory.dmpFilesize
52KB
-
memory/4468-149-0x00000000026A0000-0x00000000026AC000-memory.dmpFilesize
48KB
-
memory/4468-150-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4468-151-0x00000000007C0000-0x0000000000826000-memory.dmpFilesize
408KB
-
memory/4468-147-0x00000000007C0000-0x0000000000826000-memory.dmpFilesize
408KB
-
memory/4468-144-0x00000000007C0000-0x0000000000826000-memory.dmpFilesize
408KB
-
memory/4468-143-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4468-139-0x0000000000000000-mapping.dmp