Analysis
-
max time kernel
158s -
max time network
186s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:34
Static task
static1
Behavioral task
behavioral1
Sample
Vale_Presente.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Vale_Presente.exe
Resource
win10v2004-20221111-en
General
-
Target
Vale_Presente.exe
-
Size
1.7MB
-
MD5
ea6ffad92153412e5237665c82c78799
-
SHA1
db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
-
SHA256
f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
-
SHA512
ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
SSDEEP
3072:dwvqbFtkEyWvXFPmy/DA/cZd0SzsZpzbwgWamdUHGNFopPF1XeRBIytGVXi8FrTN:jDycXI6lZij/1TGFo5F1DXRDXy1
Malware Config
Signatures
-
Processes:
26112022.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe -
Executes dropped EXE 1 IoCs
Processes:
26112022.exepid process 680 26112022.exe -
Loads dropped DLL 3 IoCs
Processes:
Vale_Presente.exe26112022.exepid process 1736 Vale_Presente.exe 1736 Vale_Presente.exe 680 26112022.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IxplorerStart = "C:\\Program Files\\Internet Explorer\\iexplore.exe" 26112022.exe -
Processes:
26112022.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2957A774-1BFE-41B6-B3E0-352AD2736B68} 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\NoExplorer = "1" 26112022.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
26112022.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main 26112022.exe -
Modifies registry class 45 IoCs
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\HELPDIR 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ProgID\ = "Micronews.ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\ = "Micronews.ClsMicronews" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Implemented Categories 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0\win32 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\Version = "1.0" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32\ThreadingModel = "Apartment" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\Clsid\ = "{2957A774-1BFE-41B6-B3E0-352AD2736B68}" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\FLAGS 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\HELPDIR\ = "c:\\Users\\Admin\\jdjoosvd" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "_ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ = "Micronews.ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32\ = "c:\\Users\\Admin\\jdjoosvd\\jdjoosvd.tmp" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\Version = "1.0" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "_ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\Clsid 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Programmable 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\ = "Micronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\FLAGS\ = "0" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\VERSION 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\VERSION\ = "1.0" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0\win32\ = "c:\\Users\\Admin\\jdjoosvd\\jdjoosvd.tmp" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ProgID 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\TypeLib 26112022.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXEshutdown.exedescription pid process Token: 33 688 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 688 AUDIODG.EXE Token: 33 688 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 688 AUDIODG.EXE Token: SeShutdownPrivilege 304 shutdown.exe Token: SeRemoteShutdownPrivilege 304 shutdown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
26112022.exepid process 680 26112022.exe 680 26112022.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
Vale_Presente.exe26112022.exepid process 1736 Vale_Presente.exe 1736 Vale_Presente.exe 1736 Vale_Presente.exe 680 26112022.exe 680 26112022.exe 680 26112022.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Vale_Presente.exe26112022.exedescription pid process target process PID 1736 wrote to memory of 680 1736 Vale_Presente.exe 26112022.exe PID 1736 wrote to memory of 680 1736 Vale_Presente.exe 26112022.exe PID 1736 wrote to memory of 680 1736 Vale_Presente.exe 26112022.exe PID 1736 wrote to memory of 680 1736 Vale_Presente.exe 26112022.exe PID 680 wrote to memory of 304 680 26112022.exe shutdown.exe PID 680 wrote to memory of 304 680 26112022.exe shutdown.exe PID 680 wrote to memory of 304 680 26112022.exe shutdown.exe PID 680 wrote to memory of 304 680 26112022.exe shutdown.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68} = "1" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 26112022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vale_Presente.exe"C:\Users\Admin\AppData\Local\Temp\Vale_Presente.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\26112022.exe"C:\Users\Admin\26112022.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:680 -
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:304
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1b81⤵
- Suspicious use of AdjustPrivilegeToken
PID:688
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2004
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\26112022.exeFilesize
1.7MB
MD5ea6ffad92153412e5237665c82c78799
SHA1db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
C:\Users\Admin\26112022.exeFilesize
1.7MB
MD5ea6ffad92153412e5237665c82c78799
SHA1db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
C:\Users\Admin\26112022.tmpFilesize
55B
MD5929ed09ec05257e4b2852823a571ca47
SHA15ead69983eeda06dbf09b24df8264b95d0f4738c
SHA256c2b80186cc569e5dcdd394d4c0e71a38a2470f4415e2d2bddd33f1785d4dec74
SHA512ea9638246d19a8ceccb832744cba27fa1b056e53f8a1d032774d766e55cdcaf3dd7a87dfa0344fd22c5212bdfd539b301bc82c157a8b7a721c8688863aa322b8
-
\Users\Admin\26112022.exeFilesize
1.7MB
MD5ea6ffad92153412e5237665c82c78799
SHA1db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
\Users\Admin\26112022.exeFilesize
1.7MB
MD5ea6ffad92153412e5237665c82c78799
SHA1db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
\Users\Admin\jdjoosvd\jdjoosvd.tmpFilesize
560KB
MD544f7d31463d79dd60560195e8fa33b29
SHA127ecd3fa4fe68f5e72f9a1d25887d2ff1e082140
SHA2564a3774c66e6c46a99f610aecd533224331303ae4eb0582ee8e0653b4bd7971d0
SHA51257977f4ed1a5801e48e060ef282407411b31f3cc2a2fc47af08259faadc4190abf188a6916fcd6c3c8d034bed873da48e90c16988500a76fca7fffa4c2cbc790
-
memory/304-69-0x0000000000000000-mapping.dmp
-
memory/680-59-0x0000000000000000-mapping.dmp
-
memory/680-67-0x0000000071CA1000-0x0000000071CA3000-memory.dmpFilesize
8KB
-
memory/1736-56-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/2004-70-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmpFilesize
8KB