967085c6e5df28bb3d9a1a6e2680423d38b8940b00a65b5407859f5d6aacfc7f

Analysis

max time kernel
123s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15-01-2023 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FrostyModManager.exe
Size

506KB
MD5

ce2e89ab7ba7e003af3feb74ec0d1a20
SHA1

6861071664db9fd994d6c4bbddb5e2be192a9e98
SHA256

8fcdb7659bc77b23f374e6eb89427c8dda7727a25c8a8bca3bdf494fd1c801db
SHA512

9044e40e37c37d1ffac9890d7bf1a7093c8043231fd49945d38beee849b26cdccd2c20e3d7af6d2bd096e125776b1b8a28dad385eb468bf49d0edb6d7c74710c
SSDEEP

3072:8+Uv+M/88jAku6tIUpoHopGg1DSnACXdS2YUFsviH8zQq/fgSR0pm/fOiC5c2r:VUvpBOE1OnHXYUsaH8zf/ISR0pm/Gy2

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4372 4840 WerFault.exe

pid	pid_target	process	target process
4372	4840	WerFault.exe

Modifies registry class 33 IoCs

Processes:

FrostyModManager.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	FrostyModManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	FrostyModManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FrostyModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	FrostyModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FrostyModManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FrostyModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FrostyModManager.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FrostyModManager.exe

description pid process

Token: SeDebugPrivilege 4772 FrostyModManager.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

FrostyModManager.exe

pid process

4772 FrostyModManager.exe
4772 FrostyModManager.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FrostyModManager.exe

pid process

4772 FrostyModManager.exe

description	pid	process
Token: SeDebugPrivilege	4772	FrostyModManager.exe

pid	process
4772	FrostyModManager.exe
4772	FrostyModManager.exe

pid	process
4772	FrostyModManager.exe

C:\Users\Admin\AppData\Local\Temp\FrostyModManager.exe
"C:\Users\Admin\AppData\Local\Temp\FrostyModManager.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 4840 -ip 4840
1⤵
PID:1408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4840 -s 2476
1⤵
- Program crash
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-132-0x00000190E25F0000-0x00000190E2674000-memory.dmp

Filesize
528KB

Download
memory/4772-133-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmp

Filesize
10.8MB

Download
memory/4772-134-0x00000190FF720000-0x00000190FFD0E000-memory.dmp

Filesize
5.9MB

Download
memory/4772-135-0x00000190FF3D0000-0x00000190FF662000-memory.dmp

Filesize
2.6MB

Download
memory/4772-136-0x00000190FFD10000-0x00000190FFE12000-memory.dmp

Filesize
1.0MB

Download
memory/4772-137-0x00000190FCA50000-0x00000190FCA6C000-memory.dmp

Filesize
112KB

Download
memory/4772-138-0x00000190E2B60000-0x00000190E2B6E000-memory.dmp

Filesize
56KB

Download
memory/4772-139-0x00000190FCA30000-0x00000190FCA38000-memory.dmp

Filesize
32KB

Download
memory/4772-140-0x00000190FCB00000-0x00000190FCB42000-memory.dmp

Filesize
264KB

Download
memory/4772-141-0x00000190FCA90000-0x00000190FCAAA000-memory.dmp

Filesize
104KB

Download
memory/4772-142-0x00000190FFF10000-0x00000190FFFC0000-memory.dmp

Filesize
704KB

Download
memory/4772-143-0x00000190FCB80000-0x00000190FCBA2000-memory.dmp

Filesize
136KB

Download
memory/4772-144-0x00000190FF6C0000-0x00000190FF706000-memory.dmp

Filesize
280KB

Download
memory/4772-145-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmp

Filesize
10.8MB

Download
memory/4772-146-0x00000190FCB50000-0x00000190FCB70000-memory.dmp

Filesize
128KB

Download
memory/4772-147-0x00000190FCAC0000-0x00000190FCAC8000-memory.dmp

Filesize
32KB

Download
memory/4772-148-0x00000190FFFC0000-0x00000190FFFF8000-memory.dmp

Filesize
224KB

Download
memory/4772-149-0x00000190FCAD0000-0x00000190FCADE000-memory.dmp

Filesize
56KB

Download