Analysis
-
max time kernel
187s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Resource
win7-20221111-en
General
-
Target
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
-
Size
285KB
-
MD5
01daf4f618eac4c7379b4d1f8046deaa
-
SHA1
c73db227644dc6cc6d9b7fb91468014572507b4d
-
SHA256
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536
-
SHA512
435380deca7baf660e8a6b673d02ff6478bc6d823ca416b04a4ff758ffb7c821d5495f9870e9a8bbe513bde229ad5a114e44283160146e205e49d9489fbad465
-
SSDEEP
6144:JAsBZACyfs1vYtn9BqNmJ5y52jzm2YYrTASZ:YCyfsYBT5yEqM7Z
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\591933uu.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\591933uu.exe\DisableExceptionChainValidation 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "kymtbjavkn.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exepid process 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\591933uu.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\591933uu.exe\"" explorer.exe -
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription ioc process File created C:\ProgramData\Windows Search 5.3.10\desktop.ini 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe File opened for modification C:\ProgramData\Windows Search 5.3.10\desktop.ini 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exepid process 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription pid process target process PID 528 set thread context of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3744 4268 WerFault.exe explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
explorer.exepid process 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe 4268 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exepid process 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exepid process 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exedescription pid process Token: SeDebugPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeRestorePrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeBackupPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeLoadDriverPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeCreatePagefilePrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeShutdownPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeTakeOwnershipPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeChangeNotifyPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeCreateTokenPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeMachineAccountPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeSecurityPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeAssignPrimaryTokenPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeCreateGlobalPrivilege 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: 33 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe Token: SeDebugPrivilege 4268 explorer.exe Token: SeRestorePrivilege 4268 explorer.exe Token: SeBackupPrivilege 4268 explorer.exe Token: SeLoadDriverPrivilege 4268 explorer.exe Token: SeCreatePagefilePrivilege 4268 explorer.exe Token: SeShutdownPrivilege 4268 explorer.exe Token: SeTakeOwnershipPrivilege 4268 explorer.exe Token: SeChangeNotifyPrivilege 4268 explorer.exe Token: SeCreateTokenPrivilege 4268 explorer.exe Token: SeMachineAccountPrivilege 4268 explorer.exe Token: SeSecurityPrivilege 4268 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4268 explorer.exe Token: SeCreateGlobalPrivilege 4268 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exedescription pid process target process PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 528 wrote to memory of 536 528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe PID 536 wrote to memory of 4268 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 536 wrote to memory of 4268 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe PID 536 wrote to memory of 4268 536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 11284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4268 -ip 42681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsv1639.tmp\skiers.dllFilesize
228KB
MD5fc7a721c4e3c90b9598d7c81fe77e726
SHA1fe84f4d480c5da5e55c09842b74d502b03736770
SHA256d059347af564675db2b15bf372282457e4c4b829712ef67c1aa2864b8c706c6d
SHA5127bcc246a883e12c4f8965e99f2288e13d8a754600159240df6f881818d54a611b6cbdbe7364aa992405388f8b6b68fa6ad369f53f2fe1bba724cec699e2a0f8a
-
memory/536-143-0x0000000002670000-0x000000000267C000-memory.dmpFilesize
48KB
-
memory/536-146-0x0000000002160000-0x00000000021C0000-memory.dmpFilesize
384KB
-
memory/536-136-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/536-137-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/536-133-0x0000000000000000-mapping.dmp
-
memory/536-141-0x0000000002160000-0x00000000021C0000-memory.dmpFilesize
384KB
-
memory/536-134-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/536-142-0x0000000000970000-0x000000000097D000-memory.dmpFilesize
52KB
-
memory/536-139-0x0000000002160000-0x00000000021C0000-memory.dmpFilesize
384KB
-
memory/536-145-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4268-144-0x0000000000000000-mapping.dmp
-
memory/4268-147-0x00000000002C0000-0x00000000006F3000-memory.dmpFilesize
4.2MB
-
memory/4268-148-0x0000000000A00000-0x0000000000AAB000-memory.dmpFilesize
684KB
-
memory/4268-149-0x0000000000E60000-0x0000000000E6D000-memory.dmpFilesize
52KB
-
memory/4268-150-0x0000000000A00000-0x0000000000AAB000-memory.dmpFilesize
684KB
-
memory/4268-151-0x0000000000A00000-0x0000000000AAB000-memory.dmpFilesize
684KB