Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 13:10
Behavioral task
behavioral1
Sample
FSZJXW.exe
Resource
win7-20220414-en
General
-
Target
FSZJXW.exe
-
Size
423KB
-
MD5
480130235a7e456be7d7de31c47e7d07
-
SHA1
67baa1f65ad6244485ddcf819c64717981e92d2b
-
SHA256
7b23a666b13afaaba8005119e47c2f29f396c08a4d087abd3a0a254d3a6dbbe4
-
SHA512
6726ed8447ba254156fc60dfbb6b01e5e89861aab682345577a35d3fbacebc7f7580dab04dad23e09727e67aa5a48f0616a8473a56f2287c4c8f25efab058c1d
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
FSZJXW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" FSZJXW.exe -
Processes:
FSZJXW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FSZJXW.exe -
Processes:
FSZJXW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" FSZJXW.exe -
Processes:
resource yara_rule behavioral2/memory/3372-130-0x0000000003790000-0x000000000481E000-memory.dmp upx behavioral2/memory/3372-131-0x0000000000400000-0x00000000004DC000-memory.dmp upx behavioral2/memory/3372-132-0x0000000000400000-0x00000000004DC000-memory.dmp upx behavioral2/memory/3372-133-0x0000000003790000-0x000000000481E000-memory.dmp upx -
Processes:
FSZJXW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" FSZJXW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" FSZJXW.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc FSZJXW.exe -
Processes:
FSZJXW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FSZJXW.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3372-131-0x0000000000400000-0x00000000004DC000-memory.dmp autoit_exe behavioral2/memory/3372-132-0x0000000000400000-0x00000000004DC000-memory.dmp autoit_exe -
Drops file in Windows directory 1 IoCs
Processes:
FSZJXW.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI FSZJXW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FSZJXW.exepid process 3372 FSZJXW.exe 3372 FSZJXW.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
FSZJXW.exedescription pid process Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe Token: SeDebugPrivilege 3372 FSZJXW.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
FSZJXW.exedescription pid process target process PID 3372 wrote to memory of 808 3372 FSZJXW.exe fontdrvhost.exe PID 3372 wrote to memory of 816 3372 FSZJXW.exe fontdrvhost.exe PID 3372 wrote to memory of 332 3372 FSZJXW.exe dwm.exe PID 3372 wrote to memory of 2800 3372 FSZJXW.exe sihost.exe PID 3372 wrote to memory of 2812 3372 FSZJXW.exe svchost.exe PID 3372 wrote to memory of 2884 3372 FSZJXW.exe taskhostw.exe PID 3372 wrote to memory of 744 3372 FSZJXW.exe Explorer.EXE PID 3372 wrote to memory of 2896 3372 FSZJXW.exe svchost.exe PID 3372 wrote to memory of 3268 3372 FSZJXW.exe DllHost.exe PID 3372 wrote to memory of 3360 3372 FSZJXW.exe StartMenuExperienceHost.exe PID 3372 wrote to memory of 3424 3372 FSZJXW.exe RuntimeBroker.exe PID 3372 wrote to memory of 3520 3372 FSZJXW.exe SearchApp.exe PID 3372 wrote to memory of 3696 3372 FSZJXW.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
FSZJXW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FSZJXW.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\FSZJXW.exe"C:\Users\Admin\AppData\Local\Temp\FSZJXW.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3372-130-0x0000000003790000-0x000000000481E000-memory.dmpFilesize
16.6MB
-
memory/3372-131-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/3372-132-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/3372-133-0x0000000003790000-0x000000000481E000-memory.dmpFilesize
16.6MB