Analysis
-
max time kernel
70s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 17:18
Static task
static1
Behavioral task
behavioral1
Sample
10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe
-
Size
88KB
-
MD5
3073a16a4cf171d7532003fe4159c7f0
-
SHA1
610f1042e047e12a993fc8dbc7972e2cd7c24ba8
-
SHA256
10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640
-
SHA512
7dab8f7f0a95bf433f221dc56c39e16a7a50767bc591e724ecc5fdedc2f58000772f32e417b64bc2c199c059a94085e359064c4f3527d2e4d532cca21bdc47a0
-
SSDEEP
1536:HVqsQX3xGNN+F/hdTS7e1dEmvMLjqi0EZ7eB7Z49ar6S:pC3xGNMZ9S7e1DgjqiN7eB7Z+I6S
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msmsgr = "c:\\windows\\msmsgr.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrun32 = "c:\\windows\\msrun32.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\msmsgr\ImagePath = "c:\\windows\\msmsgr.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msmsgr = "c:\\windows\\msmsgr.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass32 = "c:\\windows\\lsass32.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msmsgr = "c:\\windows\\msmsgr.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\j: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\h: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\w: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\r: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\m: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\f: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\s: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\y: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\x: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\v: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\u: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\p: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\l: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\i: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\z: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\t: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\q: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\o: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\k: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\g: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened (read-only) \??\e: 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\regedit.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification \??\c:\windows\regedit2.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeGammaLoader.scr 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened for modification \??\c:\windows\mui\modem.sys 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened for modification \??\c:\windows\msmsgr.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened for modification \??\c:\windows\msrun32.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\msrun32.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\calc.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened for modification \??\c:\windows\calc.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\regedit2.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\Start Menu\Programs\Startup\AdobeGammaLoader.scr 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\msmsgr.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File created \??\c:\windows\lsass32.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe File opened for modification \??\c:\windows\lsass32.exe 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A} 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "118" 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 112 10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe"C:\Users\Admin\AppData\Local\Temp\10fc0ca99c7dc7eeadd0a8fb78d94fd9f8da4c10c6bfe2e754136aa03d26a640.exe"1⤵
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:112