Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:05
Static task
static1
Behavioral task
behavioral1
Sample
3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe
Resource
win10v2004-20220901-en
General
-
Target
3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe
-
Size
807KB
-
MD5
f1a7fe24b1cd6e4bb9c4ac10d608ffd5
-
SHA1
7a18351d626a93a3a230777417a903f73c6ab960
-
SHA256
3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e
-
SHA512
1d44863b70ae011d6be4632b5ef7470bf4636b59d18bc721dbcf52703ebf6378162b38c87fce665db2ebd6de287e96b6c5a2138b85fed84188f2a5f936f05a93
-
SSDEEP
24576:dFU3XZISMSND63ZvmNmtMZoq/DswVNCCzILtNBjAoKgnij:WMSNOZew6ZrvCCSRAaij
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
setup.exepid process 2016 setup.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
setup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ef128ac\\setup.exe" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ef128ac\\setup.exe" setup.exe -
Loads dropped DLL 1 IoCs
Processes:
3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exepid process 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe -
Processes:
setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe -
Processes:
setup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main setup.exe -
Modifies registry class 36 IoCs
Processes:
setup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ef128ac\\setup.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ef128ac\\setup.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}" setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ef128ac" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32 setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ef128ac\\setup.exe" setup.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0" setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
setup.exedescription pid process Token: SeDebugPrivilege 2016 setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
setup.exepid process 2016 setup.exe 2016 setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exedescription pid process target process PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe PID 1896 wrote to memory of 2016 1896 3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe"C:\Users\Admin\AppData\Local\Temp\3fc820845813fcfce13dc35fc4e64937c6949eb51b32a0c9323353f7d429732e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\setup.exe"C:\Users\Admin\AppData\Local\Temp/4ef128ac/setup.exe" ProfileFileName=step0.ini2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\installer\boot.datFilesize
1KB
MD582ff009dd3236db90393cead19bd2b16
SHA13b9eab7281a500960d6598316db7b8299970d8ba
SHA2560f1d6e066ebc9ed29cc2f194fad5091431a57eb85e13fdd19d1c8881c9402e71
SHA51247bc6609654812719030e470f949b2af139346937cb689d078de731d57278f2743da5a1cf2dd71bbadb47251be7e5b784c429ba2769559e2d4dcddc978fbe8f1
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\installer\installer-config.datFilesize
4KB
MD526346960decad3a50d16370897784854
SHA1a2a5986399f33bd62cd15757895475f818291302
SHA256e6283313fa634034a1251471b5517fa9264c55f1e8008af103dbb13242dcc88f
SHA5121344d6c3201e33ff26063c58b2030b1b16fb8bcab951caa9bfe9cce4c09d190881705a7eafccc6ccfe0bdf1abf71ae360ea3e3ef10ee6ef0cfaf0eb1aba39e54
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\installer\installer.datFilesize
36KB
MD5298dc9fe1774bad46acae8aec86b8a40
SHA1f9f5564461b94e309043e2c555b645fdb69611b0
SHA256ceee1f89c72361136d3c7f884c9a54ccf3e99aa25fbc0aeef4c79c9f1e38307e
SHA512a47c66bd350774b0932a42062952e9cd260daf0cf4b6a2f5ce886a24e592bb113aaa0d386c712d7a63ef3070f85540a8125579a524269091684e59ccc601f2eb
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\installer\new-screen.datFilesize
2KB
MD5ff3ac2ce15df8c6e09677fff184dd67e
SHA1a9b938df0cb6338c557c118766e25acc97bcf1f8
SHA256ae780c4499c3560092e6b5bcbf4ae596f7b0df3e77d0d3cb3eeb33b54eeb2dfe
SHA512a7fdd31a34c45d608f99afb06c9ac54c2218603f1d3828af13a0060e19f2d4903ddc253f3209455acff7459679e3514cade3289e21c1f3f598a07b7e8e361ad0
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\installer\step0.iniFilesize
22KB
MD56e8226440dee48ba01ea8f6dbf8d91be
SHA15886440cd8cc00a69cf451f13c27200a0f17fd32
SHA2560262c1155bdf7457acac23d07edc972d6be132c5e32d236fdb63eed0d8dc1520
SHA512c96ae499172fb6499033ea54fdcb1d980739677eccf075f0728c7490b822d0a41ae39ae6f48682f42b31ff8e15f8080fbd413c35a906c585291584e55d4ca069
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\installer\step0.iniFilesize
13KB
MD56d0b441df47f4b0e69abe7435eaeb9d8
SHA1d230f7a46e17e5e1eab23b96d8915876b0ddc709
SHA2565e8bddc3f06ddcff952fa2d4a707c8a7f21905eb464a7937c74966765b7e4128
SHA512b7b083dd82b8dec5fb5edc12068ac4bbac17ffcd747b6541db635c15d01cdfe2d561a6b5d85c688b3651030e69f64d89fc6a94cf4d8b310762d1534902f64bb9
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\setup.exeFilesize
1.4MB
MD5c3bc99a2f410a5bede595c6a35aabc44
SHA1cf513259f468b9b15d1749dbe60d215c0b76098c
SHA256747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6
SHA512ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3
-
C:\Users\Admin\AppData\Local\Temp\4ef128ac\setup.exeFilesize
1.4MB
MD5c3bc99a2f410a5bede595c6a35aabc44
SHA1cf513259f468b9b15d1749dbe60d215c0b76098c
SHA256747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6
SHA512ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3
-
\Users\Admin\AppData\Local\Temp\4ef128ac\setup.exeFilesize
1.4MB
MD5c3bc99a2f410a5bede595c6a35aabc44
SHA1cf513259f468b9b15d1749dbe60d215c0b76098c
SHA256747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6
SHA512ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3
-
memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/2016-56-0x0000000000000000-mapping.dmp