Analysis
-
max time kernel
152s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:44
Static task
static1
Behavioral task
behavioral1
Sample
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe
Resource
win7-20221111-en
General
-
Target
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe
-
Size
392KB
-
MD5
0fbecec65bdc3e58a3604c015f24e3d1
-
SHA1
d4a0b4b628768d2ad970c69c661bcd7f174c76b0
-
SHA256
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5
-
SHA512
30397c4aa49b62905db894b2abaf911fda73391af9969e713b5bdc10a78f78591a711c2de2b6a96745ef7ae94e18020dc95c2a6b301633e58893c185949e9df0
-
SSDEEP
12288:ZQB0GnWtil+1pcuVhbNrSqEw6tXLMRWgG:KVnWtRb/hxrQZMRW7
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w5amy17kayo5.exe\DisableExceptionChainValidation fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "xjenkff.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w5amy17kayo5.exe fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Word 2015 = "\"C:\\ProgramData\\MS Word 2015\\w5amy17kayo5.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MS Word 2015 = "C:\\ProgramData\\MS Word 2015\\w5amy17kayo5.exe" explorer.exe -
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exedescription ioc process File created C:\ProgramData\MS Word 2015\desktop.ini fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe File opened for modification C:\ProgramData\MS Word 2015\desktop.ini fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exeexplorer.exepid process 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
explorer.exepid process 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe 1176 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exeexplorer.exepid process 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe 1176 explorer.exe 1176 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exepid process 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeRestorePrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeBackupPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeLoadDriverPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeCreatePagefilePrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeShutdownPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeTakeOwnershipPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeChangeNotifyPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeCreateTokenPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeMachineAccountPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeSecurityPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeAssignPrimaryTokenPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeCreateGlobalPrivilege 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: 33 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe Token: SeDebugPrivilege 1176 explorer.exe Token: SeRestorePrivilege 1176 explorer.exe Token: SeBackupPrivilege 1176 explorer.exe Token: SeLoadDriverPrivilege 1176 explorer.exe Token: SeCreatePagefilePrivilege 1176 explorer.exe Token: SeShutdownPrivilege 1176 explorer.exe Token: SeTakeOwnershipPrivilege 1176 explorer.exe Token: SeChangeNotifyPrivilege 1176 explorer.exe Token: SeCreateTokenPrivilege 1176 explorer.exe Token: SeMachineAccountPrivilege 1176 explorer.exe Token: SeSecurityPrivilege 1176 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1176 explorer.exe Token: SeCreateGlobalPrivilege 1176 explorer.exe Token: 33 1176 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exepid process 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exepid process 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exeexplorer.exedescription pid process target process PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1228 wrote to memory of 1176 1228 fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe explorer.exe PID 1176 wrote to memory of 1192 1176 explorer.exe Dwm.exe PID 1176 wrote to memory of 1192 1176 explorer.exe Dwm.exe PID 1176 wrote to memory of 1192 1176 explorer.exe Dwm.exe PID 1176 wrote to memory of 1192 1176 explorer.exe Dwm.exe PID 1176 wrote to memory of 1192 1176 explorer.exe Dwm.exe PID 1176 wrote to memory of 1192 1176 explorer.exe Dwm.exe PID 1176 wrote to memory of 1268 1176 explorer.exe Explorer.EXE PID 1176 wrote to memory of 1268 1176 explorer.exe Explorer.EXE PID 1176 wrote to memory of 1268 1176 explorer.exe Explorer.EXE PID 1176 wrote to memory of 1268 1176 explorer.exe Explorer.EXE PID 1176 wrote to memory of 1268 1176 explorer.exe Explorer.EXE PID 1176 wrote to memory of 1268 1176 explorer.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe"C:\Users\Admin\AppData\Local\Temp\fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1176-71-0x00000000002A0000-0x00000000002AC000-memory.dmpFilesize
48KB
-
memory/1176-70-0x0000000000130000-0x000000000013D000-memory.dmpFilesize
52KB
-
memory/1176-68-0x0000000077B10000-0x0000000077C90000-memory.dmpFilesize
1.5MB
-
memory/1176-69-0x00000000001A0000-0x0000000000266000-memory.dmpFilesize
792KB
-
memory/1176-67-0x0000000074EA1000-0x0000000074EA3000-memory.dmpFilesize
8KB
-
memory/1176-75-0x00000000001A0000-0x0000000000266000-memory.dmpFilesize
792KB
-
memory/1176-74-0x0000000077B10000-0x0000000077C90000-memory.dmpFilesize
1.5MB
-
memory/1176-65-0x0000000000000000-mapping.dmp
-
memory/1228-59-0x000000000CEA0000-0x000000000CF00000-memory.dmpFilesize
384KB
-
memory/1228-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1228-61-0x000000000CEA0000-0x000000000CF00000-memory.dmpFilesize
384KB
-
memory/1228-56-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1228-72-0x000000000CEA0000-0x000000000CF00000-memory.dmpFilesize
384KB
-
memory/1228-73-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1228-64-0x0000000000780000-0x000000000078C000-memory.dmpFilesize
48KB
-
memory/1228-63-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1228-62-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1268-76-0x0000000002AC0000-0x0000000002AC6000-memory.dmpFilesize
24KB