Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 04:02

General

  • Target

    Full Install.exe

  • Size

    1.3MB

  • MD5

    70364fa4e186b91a1782ac29a13bb3ad

  • SHA1

    1f4c9fb938ac2d78a8a3ea091bd9395e962d5589

  • SHA256

    72592d99f4521b4cc9014bc2a361e84382de2e12610aa32ea5927a6d75228939

  • SHA512

    d2ad64ece3371d90ff140d9ed27ffcfa93bbadd9175f7b08feaefb8e4ea9203dcf23b4f98a23fb19969c03aee85f8986096e21678eb746f9b89e4156c40a23dd

  • SSDEEP

    24576:4RmJkcoQricOIQxiZY1iazQGeD9EMuoKqFX8amJ54lkrNu/3vL:9JZoQrbTFZY1iaXs9EMb1sxL3rA3vL

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Full Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Full Install.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\calc.exe
      "C:\Windows\SysWOW64\calc.exe"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:456
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:5056
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4164
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1416-133-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1416-135-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1416-148-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1416-147-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB