Analysis
-
max time kernel
560s -
max time network
514s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 21:25
Behavioral task
behavioral1
Sample
130fa3b3bbb84d762e74f602a67ef5d2f9aa949ee33dd8d23fefd1cf24d931b2.zip
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
130fa3b3bbb84d762e74f602a67ef5d2f9aa949ee33dd8d23fefd1cf24d931b2.zip
Resource
win10v2004-20221111-en
General
-
Target
130fa3b3bbb84d762e74f602a67ef5d2f9aa949ee33dd8d23fefd1cf24d931b2.zip
-
Size
3.8MB
-
MD5
2663959af536f554600368ee077b33d3
-
SHA1
a7b08c5227420707681b8bfaf8ace4fe74137019
-
SHA256
130fa3b3bbb84d762e74f602a67ef5d2f9aa949ee33dd8d23fefd1cf24d931b2
-
SHA512
82639f5d787d5e9045170129cdb46768f77e0fb60c5f3e39ec7369e0acde705954157049e3428fbd57cf003b1fba1af0d427fe7467e81b6efe785f028432b921
-
SSDEEP
49152:DVufmPtxtvCJXroOVnQZkHhLjxVT0lb3vsd9vADDgSWOMsWKUo:YfAtxtve4ZMhLjXG7vIvADtilNo
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 3 IoCs
Processes:
rundll32.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{E12F31D6-7539-4558-B434-1D53AF79225E} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2512 explorer.exe Token: SeCreatePagefilePrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeCreatePagefilePrivilege 2512 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
explorer.exepid process 2512 explorer.exe 2512 explorer.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
explorer.exepid process 2512 explorer.exe 2512 explorer.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\130fa3b3bbb84d762e74f602a67ef5d2f9aa949ee33dd8d23fefd1cf24d931b2.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\76f8c7ad12004df48c2864c985158547 /t 2112 /p 24921⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\8ca6521df6064779943e3c067c8eaac5 /t 2112 /p 24921⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage