Analysis
-
max time kernel
62s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 15:07
Static task
static1
Behavioral task
behavioral1
Sample
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe
Resource
win7-20220718-en
General
-
Target
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe
-
Size
849KB
-
MD5
0f97c0600cb950fe9430023345529356
-
SHA1
0464e631d06da0bc9a18a4b1b6252c436686914a
-
SHA256
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
-
SHA512
327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
file name.exefile name.exepid process 4892 file name.exe 3296 file name.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
file name.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ay7y1s5goa1939q.exe file name.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ay7y1s5goa1939q.exe\DisableExceptionChainValidation file name.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "cvjssuszju.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Defragmenter = "\"C:\\ProgramData\\Registry Defragmenter\\ay7y1s5goa1939q.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Registry Defragmenter = "C:\\ProgramData\\Registry Defragmenter\\ay7y1s5goa1939q.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
file name.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file name.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
file name.exeexplorer.exepid process 3296 file name.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file name.exedescription pid process target process PID 4892 set thread context of 3296 4892 file name.exe file name.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2176 2812 WerFault.exe explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file name.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file name.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file name.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
explorer.exepid process 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
file name.exepid process 3296 file name.exe 3296 file name.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
file name.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3296 file name.exe Token: SeRestorePrivilege 3296 file name.exe Token: SeBackupPrivilege 3296 file name.exe Token: SeLoadDriverPrivilege 3296 file name.exe Token: SeCreatePagefilePrivilege 3296 file name.exe Token: SeShutdownPrivilege 3296 file name.exe Token: SeTakeOwnershipPrivilege 3296 file name.exe Token: SeChangeNotifyPrivilege 3296 file name.exe Token: SeCreateTokenPrivilege 3296 file name.exe Token: SeMachineAccountPrivilege 3296 file name.exe Token: SeSecurityPrivilege 3296 file name.exe Token: SeAssignPrimaryTokenPrivilege 3296 file name.exe Token: SeCreateGlobalPrivilege 3296 file name.exe Token: 33 3296 file name.exe Token: SeDebugPrivilege 2812 explorer.exe Token: SeRestorePrivilege 2812 explorer.exe Token: SeBackupPrivilege 2812 explorer.exe Token: SeLoadDriverPrivilege 2812 explorer.exe Token: SeCreatePagefilePrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeTakeOwnershipPrivilege 2812 explorer.exe Token: SeChangeNotifyPrivilege 2812 explorer.exe Token: SeCreateTokenPrivilege 2812 explorer.exe Token: SeMachineAccountPrivilege 2812 explorer.exe Token: SeSecurityPrivilege 2812 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2812 explorer.exe Token: SeCreateGlobalPrivilege 2812 explorer.exe Token: 33 2812 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exefile name.exefile name.exedescription pid process target process PID 4308 wrote to memory of 4892 4308 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe file name.exe PID 4308 wrote to memory of 4892 4308 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe file name.exe PID 4308 wrote to memory of 4892 4308 55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe file name.exe PID 4892 wrote to memory of 3296 4892 file name.exe file name.exe PID 4892 wrote to memory of 3296 4892 file name.exe file name.exe PID 4892 wrote to memory of 3296 4892 file name.exe file name.exe PID 4892 wrote to memory of 3296 4892 file name.exe file name.exe PID 4892 wrote to memory of 3296 4892 file name.exe file name.exe PID 3296 wrote to memory of 2812 3296 file name.exe explorer.exe PID 3296 wrote to memory of 2812 3296 file name.exe explorer.exe PID 3296 wrote to memory of 2812 3296 file name.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe"C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\folder name\file name.exe"C:\Users\Admin\Documents\folder name\file name.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\folder name\file name.exe"C:\Users\Admin\Documents\folder name\file name.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 11365⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2812 -ip 28121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\folder name\file name.exeFilesize
849KB
MD50f97c0600cb950fe9430023345529356
SHA10464e631d06da0bc9a18a4b1b6252c436686914a
SHA25655bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
SHA512327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
-
C:\Users\Admin\Documents\folder name\file name.exeFilesize
849KB
MD50f97c0600cb950fe9430023345529356
SHA10464e631d06da0bc9a18a4b1b6252c436686914a
SHA25655bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
SHA512327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
-
C:\Users\Admin\Documents\folder name\file name.exeFilesize
849KB
MD50f97c0600cb950fe9430023345529356
SHA10464e631d06da0bc9a18a4b1b6252c436686914a
SHA25655bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
SHA512327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
-
memory/2812-147-0x0000000000000000-mapping.dmp
-
memory/2812-154-0x0000000000AF0000-0x0000000000C2D000-memory.dmpFilesize
1.2MB
-
memory/2812-153-0x0000000000AF0000-0x0000000000C2D000-memory.dmpFilesize
1.2MB
-
memory/2812-152-0x0000000000FF0000-0x0000000000FFD000-memory.dmpFilesize
52KB
-
memory/2812-151-0x0000000000AF0000-0x0000000000C2D000-memory.dmpFilesize
1.2MB
-
memory/2812-150-0x00000000003B0000-0x00000000007E3000-memory.dmpFilesize
4.2MB
-
memory/3296-143-0x0000000002260000-0x00000000022C5000-memory.dmpFilesize
404KB
-
memory/3296-145-0x0000000002610000-0x000000000261D000-memory.dmpFilesize
52KB
-
memory/3296-146-0x00000000027D0000-0x00000000027DC000-memory.dmpFilesize
48KB
-
memory/3296-142-0x0000000002260000-0x00000000022C5000-memory.dmpFilesize
404KB
-
memory/3296-148-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-149-0x0000000002260000-0x00000000022C5000-memory.dmpFilesize
404KB
-
memory/3296-140-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-139-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-138-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-136-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-135-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x0000000000000000-mapping.dmp