Overview

overview

7

Static

static

1

family_guy.exe

windows7-x64

7

Analysis

  • max time kernel
    136s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12/04/2023, 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    family_guy.exe

  • Size

    1.3MB

  • MD5

    c42b25c0b13bf0b30f0380ff93eeca5c

  • SHA1

    94edabef9a911502f865ad321a13b4519671c3c2

  • SHA256

    20c6b1b1e8e9c1a95769e4628379eef6841ffe08c867c45a97529c6cc59b577f

  • SHA512

    447929d405b734cb8b977a2e2de242ada86aded805c9601376a8cd88ada4f070c23e218b05b6bd17632670e2c23a89d96a1f833c7c563976cd5d53809bbe59ce

  • SSDEEP

    24576:HDGHU4xkmKp0YmfU3SqlIJlXKc4I6IDjtiAiaD:nnmN1yjl0JKFGipE

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\family_guy.exe
    "C:\Users\Admin\AppData\Local\Temp\family_guy.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Program Files (x86)\Family Guy\Family Guy.exe
      "C:\Program Files (x86)\Family Guy\Family Guy.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      PID:580
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1000
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1012
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x514
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Users\Admin\AppData\Local\Temp\family_guy.exe
      "C:\Users\Admin\AppData\Local\Temp\family_guy.exe"
      1⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 576
        2⤵
        • Program crash
        PID:780
    • C:\Users\Admin\AppData\Local\Temp\family_guy.exe
      "C:\Users\Admin\AppData\Local\Temp\family_guy.exe"
      1⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 576
        2⤵
        • Program crash
        PID:1880
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1288" "4316"
      1⤵
        PID:756
      • C:\Users\Admin\AppData\Local\Temp\family_guy.exe
        "C:\Users\Admin\AppData\Local\Temp\family_guy.exe"
        1⤵
          PID:1604

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Family Guy\Family Guy.exe
          Filesize

          1.3MB

          MD5

          c42b25c0b13bf0b30f0380ff93eeca5c

          SHA1

          94edabef9a911502f865ad321a13b4519671c3c2

          SHA256

          20c6b1b1e8e9c1a95769e4628379eef6841ffe08c867c45a97529c6cc59b577f

          SHA512

          447929d405b734cb8b977a2e2de242ada86aded805c9601376a8cd88ada4f070c23e218b05b6bd17632670e2c23a89d96a1f833c7c563976cd5d53809bbe59ce

          Download Submit

        • C:\Program Files (x86)\Family Guy\Family Guy.exe
          Filesize

          1.3MB

          MD5

          c42b25c0b13bf0b30f0380ff93eeca5c

          SHA1

          94edabef9a911502f865ad321a13b4519671c3c2

          SHA256

          20c6b1b1e8e9c1a95769e4628379eef6841ffe08c867c45a97529c6cc59b577f

          SHA512

          447929d405b734cb8b977a2e2de242ada86aded805c9601376a8cd88ada4f070c23e218b05b6bd17632670e2c23a89d96a1f833c7c563976cd5d53809bbe59ce

          Download Submit

        • C:\Program Files (x86)\Family Guy\Family Guy.exe
          Filesize

          1.3MB

          MD5

          c42b25c0b13bf0b30f0380ff93eeca5c

          SHA1

          94edabef9a911502f865ad321a13b4519671c3c2

          SHA256

          20c6b1b1e8e9c1a95769e4628379eef6841ffe08c867c45a97529c6cc59b577f

          SHA512

          447929d405b734cb8b977a2e2de242ada86aded805c9601376a8cd88ada4f070c23e218b05b6bd17632670e2c23a89d96a1f833c7c563976cd5d53809bbe59ce

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\64B.tmp
          Filesize

          1KB

          MD5

          f20281f6af35e0b444d45e68e1d03571

          SHA1

          7d79b2cf83d2263483032f8ba4bfaae983eb6f92

          SHA256

          2626938decd57dff0e8302f555bc5e7211885795d8e176a1be34660531418695

          SHA512

          0a9c603e903ab1fa218f528ff571a211a5f2d50bc668767c85edc4bcc5fef7407de66674f98649611586a9d1321555fa28c33b631ad97a321288165e2eb7b395

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AD6F.tmp
          Filesize

          326B

          MD5

          547fd162b841ea7ab9a3ec382a0b3bcf

          SHA1

          d4b18e2c5050f8e3f7da3ebc971324216b2c52c0

          SHA256

          0d3435f9a32b338e0fc43cd6fe3b19654832c373da924a05d4882817fb1d788c

          SHA512

          55e0d7db284f42acbfafee28528930d8f80fd8fbb7dd0e007e6e70b388b948f9efa3145efb88dbd97713fd0c53c76737275fca449a1cbbbdec646f926d92c543

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AD70.tmp
          Filesize

          326B

          MD5

          0b576e008b73093bff2507b55c03e27b

          SHA1

          0ae3fcee204274f9eff4ea98aee99831cbf8a404

          SHA256

          db1765ce9ba8b1e6a779ae50362aea47246732d78ecc475aac86cfbc009a096a

          SHA512

          11d02c9defdba79114a55650fe73c693deedfeec10454029c30c1fcc5d4e0c72d6acd55f42363a60a302f3d9876520526a0f24a472866bd7046acd69b090cca5

          Download Submit

        • \Program Files (x86)\Family Guy\Family Guy.exe
          Filesize

          1.3MB

          MD5

          c42b25c0b13bf0b30f0380ff93eeca5c

          SHA1

          94edabef9a911502f865ad321a13b4519671c3c2

          SHA256

          20c6b1b1e8e9c1a95769e4628379eef6841ffe08c867c45a97529c6cc59b577f

          SHA512

          447929d405b734cb8b977a2e2de242ada86aded805c9601376a8cd88ada4f070c23e218b05b6bd17632670e2c23a89d96a1f833c7c563976cd5d53809bbe59ce

          Download Submit

        • \Program Files (x86)\Family Guy\Family Guy.exe
          Filesize

          1.3MB

          MD5

          c42b25c0b13bf0b30f0380ff93eeca5c

          SHA1

          94edabef9a911502f865ad321a13b4519671c3c2

          SHA256

          20c6b1b1e8e9c1a95769e4628379eef6841ffe08c867c45a97529c6cc59b577f

          SHA512

          447929d405b734cb8b977a2e2de242ada86aded805c9601376a8cd88ada4f070c23e218b05b6bd17632670e2c23a89d96a1f833c7c563976cd5d53809bbe59ce

          Download Submit

        • memory/580-90-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1000-92-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1180-91-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1180-80-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1208-119-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1208-120-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1208-150-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1244-177-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1244-178-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1244-208-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download

        • memory/1244-209-0x0000000001000000-0x0000000001079000-memory.dmp

          Filesize

          484KB

          Download