Analysis
-
max time kernel
70s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe
Resource
win7-20220812-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe
-
Size
113KB
-
MD5
0270e70c6cc000d82cc3cc93a6c9d8c9
-
SHA1
c25328ec427ca2c318c0265bbf0baeb19b9d40fe
-
SHA256
f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe
-
SHA512
2f8849c8c113a0657af79d77fca77245ed674222a30928c0f528e6f1956990b454cfed91dc707566322f654e1462abd206d45d4fcd64e5e2c717cbbc2c77ffd6
-
SSDEEP
3072:/y3xG9uGQVwuWmWg9+P3to8VGIoInBGbLMHMb9/x1e:KhG9uGju9tcPdzSIAnF9J8
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe = "c:\\users\\admin\\appdata\\local\\temp\\f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe:*:Enabled:System Update" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msorcvp = "c:\\windows\\msorcvp.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\msorcvp\ImagePath = "c:\\windows\\msorcvp.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msorcvp = "c:\\windows\\msorcvp.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msorcvp = "c:\\windows\\msorcvp.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\e: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\u: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\r: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\q: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\h: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\f: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\v: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\o: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\j: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\m: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\i: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\z: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\y: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\w: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\p: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\l: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\k: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\x: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\t: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\s: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened (read-only) \??\n: f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\regedit.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification \??\c:\windows\calc.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\regedit2.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened for modification \??\c:\windows\regedit2.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeGammaLoader.scr f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\msorcvp.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\lsassv.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened for modification \??\c:\windows\msrpc.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\calc.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\Start Menu\Programs\Startup\AdobeGammaLoader.scr f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened for modification \??\c:\windows\mui\rctfd.sys f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened for modification \??\c:\windows\msorcvp.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File opened for modification \??\c:\windows\lsassv.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe File created \??\c:\windows\msrpc.exe f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A} f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "138" f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 936 f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe"C:\Users\Admin\AppData\Local\Temp\f9de4765a093fe8efe6909d64040176035dbcb7910747840d7cd59448ce96cbe.exe"1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:936