Analysis
-
max time kernel
208s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:34
Static task
static1
Behavioral task
behavioral1
Sample
Vale_Presente.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Vale_Presente.exe
Resource
win10v2004-20221111-en
General
-
Target
Vale_Presente.exe
-
Size
1.7MB
-
MD5
ea6ffad92153412e5237665c82c78799
-
SHA1
db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
-
SHA256
f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
-
SHA512
ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
SSDEEP
3072:dwvqbFtkEyWvXFPmy/DA/cZd0SzsZpzbwgWamdUHGNFopPF1XeRBIytGVXi8FrTN:jDycXI6lZij/1TGFo5F1DXRDXy1
Malware Config
Signatures
-
Processes:
26112022.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe -
Executes dropped EXE 1 IoCs
Processes:
26112022.exepid process 4740 26112022.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Vale_Presente.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Vale_Presente.exe -
Loads dropped DLL 1 IoCs
Processes:
26112022.exepid process 4740 26112022.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IxplorerStart = "C:\\Program Files\\Internet Explorer\\iexplore.exe" 26112022.exe -
Processes:
26112022.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2957A774-1BFE-41B6-B3E0-352AD2736B68} 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\NoExplorer = "1" 26112022.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "240" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Modifies registry class 45 IoCs
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0\win32 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\HELPDIR 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\HELPDIR\ = "c:\\Users\\Admin\\tkrvotjn" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\Version = "1.0" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32\ThreadingModel = "Apartment" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\FLAGS\ = "0" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\TypeLib 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\VERSION\ = "1.0" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\Clsid 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Implemented Categories 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Programmable 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\ = "Micronews" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\FLAGS 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\Version = "1.0" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ProgID\ = "Micronews.ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32\ = "c:\\Users\\Admin\\tkrvotjn\\tkrvotjn.tmp" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA} 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\VERSION 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ProgID 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0\win32\ = "c:\\Users\\Admin\\tkrvotjn\\tkrvotjn.tmp" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "_ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\ = "Micronews.ClsMicronews" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA} 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ = "Micronews.ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\Clsid\ = "{2957A774-1BFE-41B6-B3E0-352AD2736B68}" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "_ClsMicronews" 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}" 26112022.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 2636 shutdown.exe Token: SeRemoteShutdownPrivilege 2636 shutdown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
26112022.exepid process 4740 26112022.exe 4740 26112022.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Vale_Presente.exe26112022.exeLogonUI.exepid process 4796 Vale_Presente.exe 4796 Vale_Presente.exe 4796 Vale_Presente.exe 4740 26112022.exe 4740 26112022.exe 4740 26112022.exe 3672 LogonUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Vale_Presente.exe26112022.exedescription pid process target process PID 4796 wrote to memory of 4740 4796 Vale_Presente.exe 26112022.exe PID 4796 wrote to memory of 4740 4796 Vale_Presente.exe 26112022.exe PID 4796 wrote to memory of 4740 4796 Vale_Presente.exe 26112022.exe PID 4740 wrote to memory of 2636 4740 26112022.exe shutdown.exe PID 4740 wrote to memory of 2636 4740 26112022.exe shutdown.exe PID 4740 wrote to memory of 2636 4740 26112022.exe shutdown.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
26112022.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 26112022.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID 26112022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68} = "1" 26112022.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vale_Presente.exe"C:\Users\Admin\AppData\Local\Temp\Vale_Presente.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\26112022.exe"C:\Users\Admin\26112022.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4740 -
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3962055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\26112022.exeFilesize
1.7MB
MD5ea6ffad92153412e5237665c82c78799
SHA1db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
C:\Users\Admin\26112022.exeFilesize
1.7MB
MD5ea6ffad92153412e5237665c82c78799
SHA1db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
-
C:\Users\Admin\26112022.tmpFilesize
55B
MD5929ed09ec05257e4b2852823a571ca47
SHA15ead69983eeda06dbf09b24df8264b95d0f4738c
SHA256c2b80186cc569e5dcdd394d4c0e71a38a2470f4415e2d2bddd33f1785d4dec74
SHA512ea9638246d19a8ceccb832744cba27fa1b056e53f8a1d032774d766e55cdcaf3dd7a87dfa0344fd22c5212bdfd539b301bc82c157a8b7a721c8688863aa322b8
-
C:\Users\Admin\tkrvotjn\tkrvotjn.tmpFilesize
560KB
MD544f7d31463d79dd60560195e8fa33b29
SHA127ecd3fa4fe68f5e72f9a1d25887d2ff1e082140
SHA2564a3774c66e6c46a99f610aecd533224331303ae4eb0582ee8e0653b4bd7971d0
SHA51257977f4ed1a5801e48e060ef282407411b31f3cc2a2fc47af08259faadc4190abf188a6916fcd6c3c8d034bed873da48e90c16988500a76fca7fffa4c2cbc790
-
memory/2636-141-0x0000000000000000-mapping.dmp
-
memory/4740-134-0x0000000000000000-mapping.dmp