Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 18:58
Static task
static1
Behavioral task
behavioral1
Sample
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
Resource
win7-20220901-en
General
-
Target
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
-
Size
270KB
-
MD5
72a5fd774abbbcbdc38527826122b580
-
SHA1
08da270a2c68a7b113aaaee8b2cbffb7665163c9
-
SHA256
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451
-
SHA512
51abac0551b7e97c9691b0a2f821d22a258022c25dcc7c1c7bd6e873e658ea3bf7affdae06d8b6929e2473600c55abbc7a1b1decdd17b76e376b9c54eca6218f
-
SSDEEP
6144:LAsBZPuFKtb1svWp8uAUf2lNbhu1ZHqsM7hQzZT8PjUs:tUOb1svWpaUfgNbhu1csqu3s
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
explorer.execccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "vzqhrgtrgm.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1y75uiq5.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1y75uiq5.exe\DisableExceptionChainValidation cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exepid process 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\a1y75uiq5.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\a1y75uiq5.exe\"" explorer.exe -
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exeexplorer.exepid process 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exedescription pid process target process PID 5056 set thread context of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2968 4504 WerFault.exe explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.execccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
explorer.exepid process 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe 4504 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exepid process 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exepid process 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exeexplorer.exedescription pid process Token: SeDebugPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeRestorePrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeBackupPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeLoadDriverPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeCreatePagefilePrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeShutdownPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeTakeOwnershipPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeChangeNotifyPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeCreateTokenPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeMachineAccountPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeSecurityPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeAssignPrimaryTokenPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeCreateGlobalPrivilege 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: 33 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe Token: SeDebugPrivilege 4504 explorer.exe Token: SeRestorePrivilege 4504 explorer.exe Token: SeBackupPrivilege 4504 explorer.exe Token: SeLoadDriverPrivilege 4504 explorer.exe Token: SeCreatePagefilePrivilege 4504 explorer.exe Token: SeShutdownPrivilege 4504 explorer.exe Token: SeTakeOwnershipPrivilege 4504 explorer.exe Token: SeChangeNotifyPrivilege 4504 explorer.exe Token: SeCreateTokenPrivilege 4504 explorer.exe Token: SeMachineAccountPrivilege 4504 explorer.exe Token: SeSecurityPrivilege 4504 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4504 explorer.exe Token: SeCreateGlobalPrivilege 4504 explorer.exe Token: 33 4504 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.execccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exedescription pid process target process PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 5056 wrote to memory of 744 5056 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe PID 744 wrote to memory of 4504 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe explorer.exe PID 744 wrote to memory of 4504 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe explorer.exe PID 744 wrote to memory of 4504 744 cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 11204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 45041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nseB86A.tmp\System.dllFilesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
C:\Users\Admin\AppData\Local\Temp\rabblements.dllFilesize
74KB
MD5e0291ba7745237498e06465b622cee9d
SHA1f1bac955e343ea7530f63197b7c29af40ae0388a
SHA256e389ea70bde9d21be265a9adda6cdfd3aae6d59b2526df2bb18ae7c7cc4aa13a
SHA51287d6834e1a8c4166a0f1cdcc38908798c9a75684ea118ea4b99ee2d322c26268d0a352fa437840c1f45de0830fe2361cbc21a516ef49c88be9c3f8eb415f3dd6
-
memory/744-146-0x00000000026A0000-0x00000000026AC000-memory.dmpFilesize
48KB
-
memory/744-143-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/744-150-0x0000000000900000-0x0000000000963000-memory.dmpFilesize
396KB
-
memory/744-134-0x0000000000000000-mapping.dmp
-
memory/744-139-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/744-140-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/744-141-0x0000000000900000-0x0000000000963000-memory.dmpFilesize
396KB
-
memory/744-135-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/744-145-0x0000000000460000-0x000000000046D000-memory.dmpFilesize
52KB
-
memory/744-144-0x0000000000900000-0x0000000000963000-memory.dmpFilesize
396KB
-
memory/4504-147-0x0000000000000000-mapping.dmp
-
memory/4504-148-0x0000000000480000-0x00000000008B3000-memory.dmpFilesize
4.2MB
-
memory/4504-149-0x00000000008F0000-0x000000000099A000-memory.dmpFilesize
680KB
-
memory/4504-151-0x00000000008F0000-0x000000000099A000-memory.dmpFilesize
680KB
-
memory/5056-138-0x0000000074540000-0x0000000074566000-memory.dmpFilesize
152KB
-
memory/5056-136-0x0000000074540000-0x0000000074566000-memory.dmpFilesize
152KB