Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:52
Static task
static1
Behavioral task
behavioral1
Sample
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe
Resource
win10v2004-20220812-en
General
-
Target
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe
-
Size
388KB
-
MD5
a8d6cc7b661482c5be38c38b19156b43
-
SHA1
3716a78ee38506d2555333dce99ba052325a60ce
-
SHA256
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587
-
SHA512
03291e3fbae671efbf451773bf386eac12d7762f6b0896e36c6aac5145026c25df71934ff379e717e14285ef929c79a19bd71969d779b711d6f53d6b3fc050c5
-
SSDEEP
12288:fEETDPKgeI8zQJ64ESq52kOetTzll1p14QY:8ObKI8J4Rqf5bl1z4R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe -
Loads dropped DLL 1 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exepid process 4800 a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\win1ogon.exe" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe -
Drops file in System32 directory 4 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exedescription ioc process File created C:\WINDOWS\SysWOW64\dllcache\taskmgr.exe a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe File created C:\WINDOWS\SysWOW64\taskmgr.exe a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\taskmgr.exe a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe File opened for modification C:\WINDOWS\SysWOW64\taskmgr.exe a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe -
Modifies registry class 1 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\win1ogon.exe" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exepid process 4800 a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe 4800 a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe 4800 a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff = "1" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe"C:\Users\Admin\AppData\Local\Temp\a16b624a41afa3a79997ce14a8aa04fab7238ec6c008c4fdff8a675997ee7587.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnrFilesize
373KB
MD5f94d87430033c72c4ef723b40d683bed
SHA1ab68be086128f3728467c13babb803cda917cbef
SHA256b5f711d081010a19f4a83ab11390d8ce32db7e88b85f82560d813732c463d118
SHA512b4799c708fef50ea1b36ef2debad965daba8812a6ea5b94d4c34a99dca940554372428dff514b50d115a9105210481943d17a96c8879a08a0dbbbf357340b961
-
memory/4800-133-0x0000000010000000-0x000000001017F000-memory.dmpFilesize
1.5MB
-
memory/4800-134-0x0000000010000000-0x000000001017F000-memory.dmpFilesize
1.5MB
-
memory/4800-135-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/4800-136-0x0000000010000000-0x000000001017F000-memory.dmpFilesize
1.5MB
-
memory/4800-137-0x0000000010000000-0x000000001017F000-memory.dmpFilesize
1.5MB