Analysis
-
max time kernel
84s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10v2004-20220721-en
General
-
Target
gunzipped.exe
-
Size
750KB
-
MD5
9189c940a9577852d429131fac3f27e4
-
SHA1
40705848169bf86aefed43e049f8976f97a4820b
-
SHA256
99cabbad55b9ddaaa566e2f6878303e7081a8f112e2e1f3541a5e352af833b1d
-
SHA512
3e6c9084afdc5857f05a575900dfe257189fb8046f443489bf2bc4cb083af2657c41e836fee61b56dc47a0b83c5b40ba78802ff59b92c78c8a0cf682968a13cc
Malware Config
Signatures
-
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" gunzipped.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3 = "C:\\Users\\Admin\\AppData\\Roaming\\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3.exe" iexplore.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" gunzipped.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3 = "C:\\Users\\Admin\\AppData\\Roaming\\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3 = "C:\\Users\\Admin\\AppData\\Roaming\\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4984 1532 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exedescription pid process target process PID 3112 set thread context of 3920 3112 gunzipped.exe gunzipped.exe PID 3920 set thread context of 2348 3920 gunzipped.exe iexplore.exe PID 2348 set thread context of 3208 2348 iexplore.exe iexplore.exe PID 2348 set thread context of 1336 2348 iexplore.exe iexplore.exe PID 2348 set thread context of 3460 2348 iexplore.exe iexplore.exe PID 2348 set thread context of 1532 2348 iexplore.exe iexplore.exe PID 2348 set thread context of 4196 2348 iexplore.exe iexplore.exe PID 2348 set thread context of 4448 2348 iexplore.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exeiexplore.exepid process 3112 gunzipped.exe 3112 gunzipped.exe 3920 gunzipped.exe 3920 gunzipped.exe 3920 gunzipped.exe 3920 gunzipped.exe 3208 iexplore.exe 3208 iexplore.exe 3460 iexplore.exe 3460 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
gunzipped.exeiexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 3112 gunzipped.exe Token: SeDebugPrivilege 2348 iexplore.exe Token: SeDebugPrivilege 3208 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
gunzipped.exeiexplore.exepid process 3920 gunzipped.exe 2348 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
gunzipped.exegunzipped.exeiexplore.exedescription pid process target process PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3112 wrote to memory of 3920 3112 gunzipped.exe gunzipped.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 3920 wrote to memory of 2348 3920 gunzipped.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3208 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1336 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 3460 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 1532 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4196 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe PID 2348 wrote to memory of 4448 2348 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gunzipped.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr0.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr2.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1532 -ip 15321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr2.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr4.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/3112-131-0x00000000054A0000-0x0000000005A44000-memory.dmpFilesize
5.6MB
-
memory/3112-132-0x0000000004FD0000-0x0000000005062000-memory.dmpFilesize
584KB
-
memory/3112-133-0x0000000005130000-0x000000000513A000-memory.dmpFilesize
40KB
-
memory/3112-134-0x0000000009AA0000-0x0000000009B3C000-memory.dmpFilesize
624KB
-
memory/3112-135-0x0000000009D00000-0x0000000009D66000-memory.dmpFilesize
408KB
-
memory/3112-130-0x0000000000390000-0x0000000000452000-memory.dmpFilesize
776KB
-
memory/3920-136-0x0000000000000000-mapping.dmp
-
memory/3920-142-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3920-143-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3920-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3920-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB