Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-10-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe
Resource
win7-20220901-en
General
-
Target
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe
-
Size
444KB
-
MD5
8beaefc95e59a295bf8e008fa9e475ec
-
SHA1
d6f27c4da7247eb3228e300e3eb41bb6564c9aa0
-
SHA256
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3
-
SHA512
05c747ce80927b9ec773bbe7dbc56efda4be547381bafa1b1ba341b396c77f8c4623a4c6dedf1fd86db5ea2c0065889b76b8357e34e6137e18e908db1dbe5279
-
SSDEEP
6144:0lO/MKY3HouUijCo7kSDpv34sv64crrr9RLMGsL:0lO/NY3JUo77H64gLKL
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w55i3713ua.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w55i3713ua.exe\DisableExceptionChainValidation fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "xma.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DirectX Updater 2.0 = "C:\\ProgramData\\DirectX Updater 2.0\\w55i3713ua.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX Updater 2.0 = "\"C:\\ProgramData\\DirectX Updater 2.0\\w55i3713ua.exe\"" explorer.exe -
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exeexplorer.exepid process 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exedescription pid process target process PID 2028 set thread context of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
explorer.exepid process 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe 296 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exeexplorer.exepid process 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe 296 explorer.exe 296 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exepid process 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeRestorePrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeBackupPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeLoadDriverPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeCreatePagefilePrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeShutdownPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeTakeOwnershipPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeChangeNotifyPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeCreateTokenPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeMachineAccountPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeSecurityPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeAssignPrimaryTokenPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeCreateGlobalPrivilege 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: 33 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe Token: SeDebugPrivilege 296 explorer.exe Token: SeRestorePrivilege 296 explorer.exe Token: SeBackupPrivilege 296 explorer.exe Token: SeLoadDriverPrivilege 296 explorer.exe Token: SeCreatePagefilePrivilege 296 explorer.exe Token: SeShutdownPrivilege 296 explorer.exe Token: SeTakeOwnershipPrivilege 296 explorer.exe Token: SeChangeNotifyPrivilege 296 explorer.exe Token: SeCreateTokenPrivilege 296 explorer.exe Token: SeMachineAccountPrivilege 296 explorer.exe Token: SeSecurityPrivilege 296 explorer.exe Token: SeAssignPrimaryTokenPrivilege 296 explorer.exe Token: SeCreateGlobalPrivilege 296 explorer.exe Token: 33 296 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exepid process 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exefd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exeexplorer.exedescription pid process target process PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2028 wrote to memory of 2012 2028 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 2012 wrote to memory of 296 2012 fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe explorer.exe PID 296 wrote to memory of 1340 296 explorer.exe Dwm.exe PID 296 wrote to memory of 1340 296 explorer.exe Dwm.exe PID 296 wrote to memory of 1340 296 explorer.exe Dwm.exe PID 296 wrote to memory of 1340 296 explorer.exe Dwm.exe PID 296 wrote to memory of 1340 296 explorer.exe Dwm.exe PID 296 wrote to memory of 1340 296 explorer.exe Dwm.exe PID 296 wrote to memory of 1400 296 explorer.exe Explorer.EXE PID 296 wrote to memory of 1400 296 explorer.exe Explorer.EXE PID 296 wrote to memory of 1400 296 explorer.exe Explorer.EXE PID 296 wrote to memory of 1400 296 explorer.exe Explorer.EXE PID 296 wrote to memory of 1400 296 explorer.exe Explorer.EXE PID 296 wrote to memory of 1400 296 explorer.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe"C:\Users\Admin\AppData\Local\Temp\fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe"C:\Users\Admin\AppData\Local\Temp\fd2ba2eaf8ca32686511d6baa015ba15e628f90f0e14ab544d37ab444c37cbf3.exe"3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-69-0x0000000000000000-mapping.dmp
-
memory/296-77-0x00000000003A0000-0x0000000000478000-memory.dmpFilesize
864KB
-
memory/296-76-0x0000000077840000-0x00000000779C0000-memory.dmpFilesize
1.5MB
-
memory/296-75-0x0000000000610000-0x000000000061C000-memory.dmpFilesize
48KB
-
memory/296-74-0x00000000003A0000-0x0000000000478000-memory.dmpFilesize
864KB
-
memory/296-73-0x0000000077840000-0x00000000779C0000-memory.dmpFilesize
1.5MB
-
memory/296-71-0x0000000074D71000-0x0000000074D73000-memory.dmpFilesize
8KB
-
memory/1400-78-0x00000000026E0000-0x00000000026E6000-memory.dmpFilesize
24KB
-
memory/2012-67-0x0000000000240000-0x000000000024D000-memory.dmpFilesize
52KB
-
memory/2012-68-0x0000000000800000-0x000000000080C000-memory.dmpFilesize
48KB
-
memory/2012-66-0x00000000001C0000-0x0000000000225000-memory.dmpFilesize
404KB
-
memory/2012-72-0x00000000001C0000-0x0000000000225000-memory.dmpFilesize
404KB
-
memory/2012-65-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2012-63-0x00000000001C0000-0x0000000000225000-memory.dmpFilesize
404KB
-
memory/2012-62-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2012-60-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2012-58-0x00000000004015C6-mapping.dmp
-
memory/2012-57-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2028-56-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB