Analysis
-
max time kernel
191s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:46
Static task
static1
Behavioral task
behavioral1
Sample
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe
Resource
win7-20221111-en
General
-
Target
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe
-
Size
269KB
-
MD5
652cff0c8e9559836174208bbc4d30ac
-
SHA1
1d201e2ba05ea77830bb6d309934efd03870e169
-
SHA256
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768
-
SHA512
1064c866ca2b451dc94d7a609cde8382532ace465150fd4a4205b88ee1e25dc97628bccad0e54a5c6d43d0be00d5aff32be93eeada83f740c4c1528ec6204969
-
SSDEEP
6144:pAsBZEpJNN/wel76jWJqj4/ZTqUpS4G561nv:spJDH6UhmN56hv
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5ma97933ck139.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5ma97933ck139.exe\DisableExceptionChainValidation 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "roxi.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exepid process 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\5ma97933ck139.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\5ma97933ck139.exe\"" explorer.exe -
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exedescription ioc process File created C:\ProgramData\Windows Search 5.3.10\desktop.ini 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe File opened for modification C:\ProgramData\Windows Search 5.3.10\desktop.ini 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exeexplorer.exepid process 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exedescription pid process target process PID 2684 set thread context of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2520 4248 WerFault.exe explorer.exe 2728 2520 WerFault.exe WerFault.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exe19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
explorer.exepid process 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe 4248 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exeexplorer.exepid process 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 4248 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exepid process 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeRestorePrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeBackupPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeLoadDriverPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeCreatePagefilePrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeShutdownPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeTakeOwnershipPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeChangeNotifyPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeCreateTokenPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeMachineAccountPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeSecurityPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeAssignPrimaryTokenPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeCreateGlobalPrivilege 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: 33 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe Token: SeDebugPrivilege 4248 explorer.exe Token: SeRestorePrivilege 4248 explorer.exe Token: SeBackupPrivilege 4248 explorer.exe Token: SeLoadDriverPrivilege 4248 explorer.exe Token: SeCreatePagefilePrivilege 4248 explorer.exe Token: SeShutdownPrivilege 4248 explorer.exe Token: SeTakeOwnershipPrivilege 4248 explorer.exe Token: SeChangeNotifyPrivilege 4248 explorer.exe Token: SeCreateTokenPrivilege 4248 explorer.exe Token: SeMachineAccountPrivilege 4248 explorer.exe Token: SeSecurityPrivilege 4248 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4248 explorer.exe Token: SeCreateGlobalPrivilege 4248 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exeexplorer.exedescription pid process target process PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2684 wrote to memory of 2284 2684 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe PID 2284 wrote to memory of 4248 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe explorer.exe PID 2284 wrote to memory of 4248 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe explorer.exe PID 2284 wrote to memory of 4248 2284 19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe explorer.exe PID 4248 wrote to memory of 2520 4248 explorer.exe WerFault.exe PID 4248 wrote to memory of 2520 4248 explorer.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe"C:\Users\Admin\AppData\Local\Temp\19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe"C:\Users\Admin\AppData\Local\Temp\19efed081f95e2d54bd2261580c49e4e0a96378e9ef2ffcb69c48600b41a9768.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 11444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 8885⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4248 -ip 42481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2520 -ip 25201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsn40F3.tmp\jailhouse.dllFilesize
14KB
MD58e81330474a400a1dec632839cd89f74
SHA1ebc3941a2ea60b81dab0856354e71febb320d6b6
SHA256a338454b2181d2ec512837415e703edcd25879c0c8caa2f438b1d8eee2440e42
SHA5129223011bf23d135568c74423f6215c6328b07f7edb597ade8411f019e8b4ebe50aec1512fae1c88a01007fab5897aa332c0f18702fee548986acf3c788189fe9
-
memory/2284-143-0x00000000027B0000-0x00000000027BC000-memory.dmpFilesize
48KB
-
memory/2284-139-0x00000000022B0000-0x0000000002310000-memory.dmpFilesize
384KB
-
memory/2284-144-0x00000000022B0000-0x0000000002310000-memory.dmpFilesize
384KB
-
memory/2284-137-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2284-149-0x00000000022B0000-0x0000000002310000-memory.dmpFilesize
384KB
-
memory/2284-141-0x00000000022B0000-0x0000000002310000-memory.dmpFilesize
384KB
-
memory/2284-142-0x0000000000600000-0x000000000060D000-memory.dmpFilesize
52KB
-
memory/2284-148-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2284-136-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2284-134-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2284-133-0x0000000000000000-mapping.dmp
-
memory/2520-151-0x0000000002720000-0x00000000027C7000-memory.dmpFilesize
668KB
-
memory/4248-147-0x0000000000800000-0x00000000008A7000-memory.dmpFilesize
668KB
-
memory/4248-146-0x0000000000FE0000-0x0000000001413000-memory.dmpFilesize
4.2MB
-
memory/4248-145-0x0000000000000000-mapping.dmp
-
memory/4248-150-0x0000000000800000-0x00000000008A7000-memory.dmpFilesize
668KB
-
memory/4248-152-0x0000000000800000-0x00000000008A7000-memory.dmpFilesize
668KB