Analysis
-
max time kernel
279s -
max time network
396s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:35
Behavioral task
behavioral1
Sample
0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe
Resource
win7-20221111-en
9 signatures
150 seconds
General
-
Target
0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe
-
Size
2.3MB
-
MD5
ff3d7e1506acf688ec60a0544b4c223d
-
SHA1
a411fac1cb409333e459c03b86afefe0f2492568
-
SHA256
0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69
-
SHA512
652bf5c0b567677c4c7bc4add60da4b9f78dcbdfb0d0b1ff9a6a6ac81af4387fcc5cde759e2ff354f293ede0dd3ee801098943275d30167b67032478adf21967
-
SSDEEP
49152:bF089ANW0kzZ2+K/2kWKXHRNwpygaV5ShPAQtoyzrVs6GFbo:bF0NwZ9KlWONwpIJOzHGFbo
Malware Config
Signatures
-
Blocks application from running via registry modification 6 IoCs
Adds application to list of disallowed applications.
Processes:
0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "YY.exe" 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "e_patcher.exe" 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "e.exe" 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "yylauncher.exe" 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe -
Processes:
resource yara_rule behavioral2/memory/1000-132-0x0000000000400000-0x0000000000986000-memory.dmp vmprotect behavioral2/memory/1000-135-0x0000000000400000-0x0000000000986000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exepid process 1000 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe 1000 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exepid process 1000 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe 1000 0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe"C:\Users\Admin\AppData\Local\Temp\0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe"1⤵
- Blocks application from running via registry modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx