Analysis
-
max time kernel
110s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe
-
Size
58KB
-
MD5
1015a35ef55c90a010692d7da1477f98
-
SHA1
5decaf7a2082d9fd0fc82286487602118894cb06
-
SHA256
1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc
-
SHA512
8e53c30be831ff66335ca1bc9ddc0a19199ca7dd2915e601f67ef0c61d264adf3708d76d7aef05f8c072cd5aca7267c579dba7ed26b47fcf3c448dbbdd330b74
-
SSDEEP
768:rBs9NWzQks5aJhOZ68+VQeRrBY4ogeTR+qNspAARUoVF+7HXoarhmQJRYvJ:l6NYs5av4gVQeFroJSzkXB1DJRu
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\dlnblz = "C:\\Windows\\system\\lz090218.exe" 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\system\lz090218.exe 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe File opened for modification C:\Windows\system\lz090218.exe 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe File opened for modification C:\Windows\system\lz32dla.dll 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe File created C:\Windows\system\lz32dla.dll 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17EF0D31-5DCE-11ED-98C6-66397CAA4A34} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe Token: SeSystemtimePrivilege 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe Token: SeSystemtimePrivilege 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe Token: SeDebugPrivilege 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe Token: SeDebugPrivilege 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1960 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1960 iexplore.exe 1960 iexplore.exe 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1960 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 27 PID 1368 wrote to memory of 1960 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 27 PID 1368 wrote to memory of 1960 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 27 PID 1368 wrote to memory of 1960 1368 1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe 27 PID 1960 wrote to memory of 1976 1960 iexplore.exe 29 PID 1960 wrote to memory of 1976 1960 iexplore.exe 29 PID 1960 wrote to memory of 1976 1960 iexplore.exe 29 PID 1960 wrote to memory of 1976 1960 iexplore.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe"C:\Users\Admin\AppData\Local\Temp\1836153ff060897d11909c1c99ab51995787bd9bd63bbae0be7b0b43388e22bc.exe"1⤵
- Adds policy Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1976
-
-