Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 21:02
Static task
static1
Behavioral task
behavioral1
Sample
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe
Resource
win10v2004-20220721-en
General
-
Target
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe
-
Size
497KB
-
MD5
35cd90f09615b805acefdef9836c983f
-
SHA1
2bb416ff8d866587504d22c5e3c74a5fc7afef1c
-
SHA256
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea
-
SHA512
a22728338da17ea992a3b16f8303768e53600c8af7194cf9ea15b5c4303d716be4beec6d7e44084b9b5fcada5992de49ddec7965666403939d03c74f0c8140e6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qg7ka3q75gcg1.exe 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qg7ka3q75gcg1.exe\DisableExceptionChainValidation 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "uzdmjwve.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Font Preloader Service = "C:\\ProgramData\\Windows Font Preloader Service\\qg7ka3q75gcg1.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Font Preloader Service = "\"C:\\ProgramData\\Windows Font Preloader Service\\qg7ka3q75gcg1.exe\"" explorer.exe -
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exeexplorer.exepid process 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exe5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
explorer.exepid process 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exeexplorer.exepid process 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe 1276 explorer.exe 1276 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exepid process 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeRestorePrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeBackupPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeLoadDriverPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeCreatePagefilePrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeShutdownPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeTakeOwnershipPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeChangeNotifyPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeCreateTokenPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeMachineAccountPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeSecurityPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeAssignPrimaryTokenPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeCreateGlobalPrivilege 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: 33 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe Token: SeDebugPrivilege 1276 explorer.exe Token: SeRestorePrivilege 1276 explorer.exe Token: SeBackupPrivilege 1276 explorer.exe Token: SeLoadDriverPrivilege 1276 explorer.exe Token: SeCreatePagefilePrivilege 1276 explorer.exe Token: SeShutdownPrivilege 1276 explorer.exe Token: SeTakeOwnershipPrivilege 1276 explorer.exe Token: SeChangeNotifyPrivilege 1276 explorer.exe Token: SeCreateTokenPrivilege 1276 explorer.exe Token: SeMachineAccountPrivilege 1276 explorer.exe Token: SeSecurityPrivilege 1276 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1276 explorer.exe Token: SeCreateGlobalPrivilege 1276 explorer.exe Token: 33 1276 explorer.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exeexplorer.exedescription pid process target process PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1864 wrote to memory of 1276 1864 5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe explorer.exe PID 1276 wrote to memory of 1180 1276 explorer.exe Dwm.exe PID 1276 wrote to memory of 1180 1276 explorer.exe Dwm.exe PID 1276 wrote to memory of 1180 1276 explorer.exe Dwm.exe PID 1276 wrote to memory of 1180 1276 explorer.exe Dwm.exe PID 1276 wrote to memory of 1180 1276 explorer.exe Dwm.exe PID 1276 wrote to memory of 1180 1276 explorer.exe Dwm.exe PID 1276 wrote to memory of 1208 1276 explorer.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 explorer.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 explorer.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 explorer.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 explorer.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 explorer.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe"C:\Users\Admin\AppData\Local\Temp\5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-72-0x00000000021B0000-0x00000000021B6000-memory.dmpFilesize
24KB
-
memory/1276-68-0x00000000007F0000-0x00000000007FC000-memory.dmpFilesize
48KB
-
memory/1276-67-0x0000000000230000-0x0000000000316000-memory.dmpFilesize
920KB
-
memory/1276-71-0x0000000000230000-0x0000000000316000-memory.dmpFilesize
920KB
-
memory/1276-70-0x0000000077DB0000-0x0000000077F30000-memory.dmpFilesize
1.5MB
-
memory/1276-65-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1276-63-0x0000000000000000-mapping.dmp
-
memory/1276-66-0x0000000077DB0000-0x0000000077F30000-memory.dmpFilesize
1.5MB
-
memory/1864-62-0x00000000021B0000-0x00000000021BC000-memory.dmpFilesize
48KB
-
memory/1864-60-0x0000000001EF0000-0x0000000001F56000-memory.dmpFilesize
408KB
-
memory/1864-56-0x0000000001EF0000-0x0000000001F56000-memory.dmpFilesize
408KB
-
memory/1864-61-0x0000000000560000-0x000000000056D000-memory.dmpFilesize
52KB
-
memory/1864-54-0x0000000076C01000-0x0000000076C03000-memory.dmpFilesize
8KB
-
memory/1864-69-0x0000000001EF0000-0x0000000001F56000-memory.dmpFilesize
408KB
-
memory/1864-59-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1864-58-0x0000000000500000-0x0000000000560000-memory.dmpFilesize
384KB
-
memory/1864-55-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB