3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb

Analysis

max time kernel
147s
max time network
70s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 15:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
Size

9.2MB
MD5

3685bf179182825f79569a5ed730f586
SHA1

db87834bd9183183085e2ec1880729a07b88059e
SHA256

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb
SHA512

e5fccab9d05abe8f6838f582bc5326af15c9c12353a9062c47d85f6b76b2ee24e195154c1dbe622919a92414ddb933af16f3436d42575a6e892aa39d3f0150a3
SSDEEP

196608:sVOMAQtJHQbegJtU6ZPYW251neAjnqjIxycT7B:kASQyRwYW239nqjMlV

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sky.sys	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 51 IoCs

pid	Process
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
1416	3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

C:\Users\Admin\AppData\Local\Temp\3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe
"C:\Users\Admin\AppData\Local\Temp\3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1416

Network

DNS

www.wg50.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www.wg50.com

IN A

Response
DNS

www.wg50.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www.wg50.com

IN A

Response
DNS

www.wg50.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www.wg50.com

IN A

Response
DNS

www1.fy911.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www1.fy911.com

IN A

Response

www1.fy911.com

IN A

104.206.87.22
DNS

www.wg50.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www.wg50.com

IN A

Response
DNS

www.wg50.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www.wg50.com

IN A

Response
DNS

www.wg50.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

Remote address:

8.8.8.8:53

Request

www.wg50.com

IN A

Response

104.206.87.22:88

www1.fy911.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

152 B
120 B
3
3
104.206.87.22:88

www1.fy911.com

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

152 B
120 B
3
3

8.8.8.8:53

www.wg50.com

dns

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

174 B
174 B
3
3

DNS Request

www.wg50.com

DNS Request

www.wg50.com

DNS Request

www.wg50.com
8.8.8.8:53

www1.fy911.com

dns

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

60 B
76 B
1
1

DNS Request

www1.fy911.com

DNS Response

104.206.87.22
8.8.8.8:53

www.wg50.com

dns

3f1709224c113a36e8b3a7d4bb24b9ec35b762d94a8218f8f4c0b82c9ed51cbb.exe

174 B
174 B
3
3

DNS Request

www.wg50.com

DNS Request

www.wg50.com

DNS Request

www.wg50.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1416-56-0x0000000075D00000-0x0000000075D47000-memory.dmp

Filesize
284KB

Download
memory/1416-462-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-464-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-463-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-465-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-466-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-468-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-469-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-470-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-467-0x0000000000400000-0x0000000000D30000-memory.dmp

Filesize
9.2MB

Download
memory/1416-471-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-472-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-473-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-474-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-475-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-476-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-478-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-479-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-477-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-480-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-481-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-484-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-488-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-487-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-489-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-485-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-486-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-490-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-491-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-494-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-495-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-497-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-499-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-500-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-502-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-503-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-505-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-507-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-508-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-506-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-509-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-504-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-501-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-498-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-496-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-493-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-510-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-492-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-482-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-483-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-511-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-512-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-513-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-514-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-515-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-516-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-517-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-519-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-521-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-522-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-524-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-523-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-520-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-518-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-1407-0x0000000000D80000-0x0000000000E80000-memory.dmp

Filesize
1024KB

Download
memory/1416-1408-0x00000000028E0000-0x0000000002A61000-memory.dmp

Filesize
1.5MB

Download
memory/1416-4560-0x0000000000D80000-0x0000000000E80000-memory.dmp

Filesize
1024KB

Download
memory/1416-4613-0x0000000002A70000-0x0000000002B81000-memory.dmp

Filesize
1.1MB

Download
memory/1416-4614-0x00000000027A0000-0x00000000028A1000-memory.dmp

Filesize
1.0MB

Download
memory/1416-4615-0x0000000002B90000-0x0000000002C31000-memory.dmp

Filesize
644KB

Download
memory/1416-4624-0x0000000004720000-0x0000000004991000-memory.dmp

Filesize
2.4MB

Download
memory/1416-4641-0x0000000004720000-0x0000000004991000-memory.dmp

Filesize
2.4MB

Download
memory/1416-4642-0x0000000000400000-0x0000000000D30000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.