Analysis
-
max time kernel
144s -
max time network
275s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 12:50
Static task
static1
Behavioral task
behavioral1
Sample
e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe
Resource
win10v2004-20220812-en
General
-
Target
e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe
-
Size
500KB
-
MD5
93e07be20f0ac1f7bbcd2d99e0201935
-
SHA1
3d91bd7037625dd256ee02fbe84bcce6bc72109b
-
SHA256
e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95
-
SHA512
87d0ee1433ceceb5de9542efd94952c8ad7cf293cccfefe12e0daaabe23fd8da0e3f119ccdb80631427241c2ff891f3a3bee10205c79c748aa5f84651395516c
-
SSDEEP
12288:LqtaNB39/RYe+yuy7xZh0Dw0uNRCIxVF6:Lqtm/DTO00uNAIx
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\FCJNUO64XD.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FCJNUO64XD.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 892 InteliTrace.exe 1100 SearchFillterHost.exe -
Loads dropped DLL 3 IoCs
pid Process 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 892 InteliTrace.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\InteliTrace.exe" InteliTrace.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1164 set thread context of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 1004 reg.exe 1092 reg.exe 860 reg.exe 436 reg.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 892 InteliTrace.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 892 InteliTrace.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 892 InteliTrace.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 892 InteliTrace.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 892 InteliTrace.exe 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe Token: SeDebugPrivilege 892 InteliTrace.exe Token: 1 1008 AppLaunch.exe Token: SeCreateTokenPrivilege 1008 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 1008 AppLaunch.exe Token: SeLockMemoryPrivilege 1008 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 1008 AppLaunch.exe Token: SeMachineAccountPrivilege 1008 AppLaunch.exe Token: SeTcbPrivilege 1008 AppLaunch.exe Token: SeSecurityPrivilege 1008 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1008 AppLaunch.exe Token: SeLoadDriverPrivilege 1008 AppLaunch.exe Token: SeSystemProfilePrivilege 1008 AppLaunch.exe Token: SeSystemtimePrivilege 1008 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1008 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1008 AppLaunch.exe Token: SeCreatePagefilePrivilege 1008 AppLaunch.exe Token: SeCreatePermanentPrivilege 1008 AppLaunch.exe Token: SeBackupPrivilege 1008 AppLaunch.exe Token: SeRestorePrivilege 1008 AppLaunch.exe Token: SeShutdownPrivilege 1008 AppLaunch.exe Token: SeDebugPrivilege 1008 AppLaunch.exe Token: SeAuditPrivilege 1008 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1008 AppLaunch.exe Token: SeChangeNotifyPrivilege 1008 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1008 AppLaunch.exe Token: SeUndockPrivilege 1008 AppLaunch.exe Token: SeSyncAgentPrivilege 1008 AppLaunch.exe Token: SeEnableDelegationPrivilege 1008 AppLaunch.exe Token: SeManageVolumePrivilege 1008 AppLaunch.exe Token: SeImpersonatePrivilege 1008 AppLaunch.exe Token: SeCreateGlobalPrivilege 1008 AppLaunch.exe Token: 31 1008 AppLaunch.exe Token: 32 1008 AppLaunch.exe Token: 33 1008 AppLaunch.exe Token: 34 1008 AppLaunch.exe Token: 35 1008 AppLaunch.exe Token: SeDebugPrivilege 1100 SearchFillterHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1008 AppLaunch.exe 1008 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 1008 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 28 PID 1164 wrote to memory of 892 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 29 PID 1164 wrote to memory of 892 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 29 PID 1164 wrote to memory of 892 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 29 PID 1164 wrote to memory of 892 1164 e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe 29 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1672 1008 AppLaunch.exe 30 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1544 1008 AppLaunch.exe 37 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 1096 1008 AppLaunch.exe 31 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1008 wrote to memory of 316 1008 AppLaunch.exe 36 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1672 wrote to memory of 1004 1672 cmd.exe 38 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1544 wrote to memory of 1092 1544 cmd.exe 39 PID 1096 wrote to memory of 860 1096 cmd.exe 40 PID 1096 wrote to memory of 860 1096 cmd.exe 40 PID 1096 wrote to memory of 860 1096 cmd.exe 40 PID 1096 wrote to memory of 860 1096 cmd.exe 40 PID 1096 wrote to memory of 860 1096 cmd.exe 40 PID 1096 wrote to memory of 860 1096 cmd.exe 40 PID 1096 wrote to memory of 860 1096 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe"C:\Users\Admin\AppData\Local\Temp\e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FCJNUO64XD.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FCJNUO64XD.exe:*:Enabled:Windows Messanger" /f3⤵PID:316
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FCJNUO64XD.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FCJNUO64XD.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:436
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1092
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵PID:1968
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500KB
MD593e07be20f0ac1f7bbcd2d99e0201935
SHA13d91bd7037625dd256ee02fbe84bcce6bc72109b
SHA256e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95
SHA51287d0ee1433ceceb5de9542efd94952c8ad7cf293cccfefe12e0daaabe23fd8da0e3f119ccdb80631427241c2ff891f3a3bee10205c79c748aa5f84651395516c
-
Filesize
500KB
MD593e07be20f0ac1f7bbcd2d99e0201935
SHA13d91bd7037625dd256ee02fbe84bcce6bc72109b
SHA256e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95
SHA51287d0ee1433ceceb5de9542efd94952c8ad7cf293cccfefe12e0daaabe23fd8da0e3f119ccdb80631427241c2ff891f3a3bee10205c79c748aa5f84651395516c
-
Filesize
11KB
MD5cdeded8ead5d39201de62c94384f7150
SHA1d192015704227f395abe79a67cc35aaf28910774
SHA2563e2eca577cfa3d8bcf583b5c6fb07e4e44f46cb95228b20e975d562b635c4031
SHA5122fa02cda0c22208f947ff925396cd3f97db447e4fb5365ba61dfc0715d183fd36ad18d527b775beb5efcc03f07ae931d4be73531693d8050cf2b689a7f988e5f
-
Filesize
11KB
MD5cdeded8ead5d39201de62c94384f7150
SHA1d192015704227f395abe79a67cc35aaf28910774
SHA2563e2eca577cfa3d8bcf583b5c6fb07e4e44f46cb95228b20e975d562b635c4031
SHA5122fa02cda0c22208f947ff925396cd3f97db447e4fb5365ba61dfc0715d183fd36ad18d527b775beb5efcc03f07ae931d4be73531693d8050cf2b689a7f988e5f
-
Filesize
500KB
MD593e07be20f0ac1f7bbcd2d99e0201935
SHA13d91bd7037625dd256ee02fbe84bcce6bc72109b
SHA256e9812394ecda56e1386a1f8e5cb379dd5acb32f93bde0ff50580cd9519aeeb95
SHA51287d0ee1433ceceb5de9542efd94952c8ad7cf293cccfefe12e0daaabe23fd8da0e3f119ccdb80631427241c2ff891f3a3bee10205c79c748aa5f84651395516c
-
Filesize
11KB
MD5cdeded8ead5d39201de62c94384f7150
SHA1d192015704227f395abe79a67cc35aaf28910774
SHA2563e2eca577cfa3d8bcf583b5c6fb07e4e44f46cb95228b20e975d562b635c4031
SHA5122fa02cda0c22208f947ff925396cd3f97db447e4fb5365ba61dfc0715d183fd36ad18d527b775beb5efcc03f07ae931d4be73531693d8050cf2b689a7f988e5f
-
Filesize
11KB
MD5cdeded8ead5d39201de62c94384f7150
SHA1d192015704227f395abe79a67cc35aaf28910774
SHA2563e2eca577cfa3d8bcf583b5c6fb07e4e44f46cb95228b20e975d562b635c4031
SHA5122fa02cda0c22208f947ff925396cd3f97db447e4fb5365ba61dfc0715d183fd36ad18d527b775beb5efcc03f07ae931d4be73531693d8050cf2b689a7f988e5f