Analysis

  • max time kernel
    1818s
  • max time network
    1138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 12:26

General

  • Target

    FiddlerSetup.exe

  • Size

    6.5MB

  • MD5

    7fd1119b5f29e4094228dabf57e65a9d

  • SHA1

    1a4e248bfe07f8c65ce68b4f29013442be6ef7c7

  • SHA256

    5c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8

  • SHA512

    20d22e16f5c285bd6ffdf3620762c340ffb97cc51c5080717b87442f29a14271644351b082392d9fb2fd1ce40a1fe56a4e6592a290d67f5c587e8e9eb2f33787

  • SSDEEP

    196608:Q962sDwuahkk8ZaQd9NCMbw4fO0ADH6Op:Q5uAkk8ZBCuXfjADH6s

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\36ece4ae76c946479eb8a5d5bcc393ad /t 3388 /p 3324
    1⤵
      PID:4864
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1888
    • C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Users\Admin\AppData\Local\Temp\nsn7F00.tmp\FiddlerSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\nsn7F00.tmp\FiddlerSetup.exe" /D=
        2⤵
        • Executes dropped EXE
        PID:3632
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4644
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3616
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2568
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1192
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2252
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4904
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3356
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3784
    • C:\Windows\system32\werfault.exe
      werfault.exe /hc /shared Global\809d797be9e94af99db67911735b40e6 /t 1936 /p 3784
      1⤵
        PID:624
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4244
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies registry class
        PID:2896

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

        Filesize

        471B

        MD5

        976ce2c91cbe61b98378e8e5c5ba4d53

        SHA1

        45b3e1eabb4e759bf46ffeb8f9722077a0d62c72

        SHA256

        255f312d16d7d080cf1a97d4eb255c236c7eee6c059d732d970e3c05c07c158e

        SHA512

        0065b7984960354aea85cd0c6792e019f40a2b359fabf7dcee438193c1bab47d74d59602627c8399df741864dffb0469d9cf8bc48907c1c67015c51d01a7b28a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

        Filesize

        412B

        MD5

        7b712a8bf17281f8c37653f9a2d734b2

        SHA1

        1fd7b284127d6daf904e74c7cf260b4e2301ee94

        SHA256

        ffbd1f4ab9d0a31e11ef41df102326e7249eae894618a03505fda17417df40ad

        SHA512

        f93059a542117fd396f4af1689e58b08066a0259a87674f948c44c8615b1fa943b85e926cf196c9af15643baff8c58e42b6ab6850478d7c73dda536c2ee684ee

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml

        Filesize

        96B

        MD5

        4114b63fafc98d9307dc8bfae1c379cd

        SHA1

        8959adf99facaf14c6be813470286c448b0e0b44

        SHA256

        f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

        SHA512

        51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415872568210012.txt

        Filesize

        75KB

        MD5

        62d81c2e1e8b21733f95af2a596e4b18

        SHA1

        91c005ecc5ae4171f450c43c02d1ba532b4474c6

        SHA256

        a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

        SHA512

        c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415872568210012.txt

        Filesize

        75KB

        MD5

        62d81c2e1e8b21733f95af2a596e4b18

        SHA1

        91c005ecc5ae4171f450c43c02d1ba532b4474c6

        SHA256

        a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

        SHA512

        c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml

        Filesize

        96B

        MD5

        4114b63fafc98d9307dc8bfae1c379cd

        SHA1

        8959adf99facaf14c6be813470286c448b0e0b44

        SHA256

        f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

        SHA512

        51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml

        Filesize

        96B

        MD5

        4114b63fafc98d9307dc8bfae1c379cd

        SHA1

        8959adf99facaf14c6be813470286c448b0e0b44

        SHA256

        f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

        SHA512

        51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml

        Filesize

        96B

        MD5

        4114b63fafc98d9307dc8bfae1c379cd

        SHA1

        8959adf99facaf14c6be813470286c448b0e0b44

        SHA256

        f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

        SHA512

        51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml

        Filesize

        96B

        MD5

        4114b63fafc98d9307dc8bfae1c379cd

        SHA1

        8959adf99facaf14c6be813470286c448b0e0b44

        SHA256

        f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

        SHA512

        51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

      • C:\Users\Admin\AppData\Local\Temp\nsn7F00.tmp\FiddlerSetup.exe

        Filesize

        3.2MB

        MD5

        092879b4ec0b7a59be6273035da99e27

        SHA1

        282f2602469017d4d8401e84e248a6c138b7de97

        SHA256

        87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

        SHA512

        dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

      • C:\Users\Admin\AppData\Local\Temp\nsn7F00.tmp\FiddlerSetup.exe

        Filesize

        3.2MB

        MD5

        092879b4ec0b7a59be6273035da99e27

        SHA1

        282f2602469017d4d8401e84e248a6c138b7de97

        SHA256

        87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

        SHA512

        dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

      • memory/2252-60-0x000001F4D3F60000-0x000001F4D3F80000-memory.dmp

        Filesize

        128KB

      • memory/2252-62-0x000001F4D3F20000-0x000001F4D3F40000-memory.dmp

        Filesize

        128KB

      • memory/2252-65-0x000001F4D4320000-0x000001F4D4340000-memory.dmp

        Filesize

        128KB

      • memory/2568-36-0x000002640B400000-0x000002640B420000-memory.dmp

        Filesize

        128KB

      • memory/2568-38-0x000002640AE70000-0x000002640AE90000-memory.dmp

        Filesize

        128KB

      • memory/2568-33-0x000002640AEB0000-0x000002640AED0000-memory.dmp

        Filesize

        128KB

      • memory/3356-105-0x00000274C1F40000-0x00000274C1F60000-memory.dmp

        Filesize

        128KB

      • memory/3356-103-0x00000274C1F80000-0x00000274C1FA0000-memory.dmp

        Filesize

        128KB

      • memory/3356-107-0x00000274C2350000-0x00000274C2370000-memory.dmp

        Filesize

        128KB

      • memory/3616-26-0x00000000046D0000-0x00000000046D1000-memory.dmp

        Filesize

        4KB

      • memory/3784-124-0x00000194C6470000-0x00000194C6490000-memory.dmp

        Filesize

        128KB

      • memory/3784-126-0x00000194C6430000-0x00000194C6450000-memory.dmp

        Filesize

        128KB

      • memory/3784-128-0x00000194C6840000-0x00000194C6860000-memory.dmp

        Filesize

        128KB

      • memory/4244-139-0x000001F7CF740000-0x000001F7CF760000-memory.dmp

        Filesize

        128KB

      • memory/4244-142-0x000001F7CF700000-0x000001F7CF720000-memory.dmp

        Filesize

        128KB

      • memory/4244-146-0x000001F7CFB50000-0x000001F7CFB70000-memory.dmp

        Filesize

        128KB

      • memory/4904-88-0x0000025E2CCE0000-0x0000025E2CD00000-memory.dmp

        Filesize

        128KB

      • memory/4904-84-0x0000025E2C6C0000-0x0000025E2C6E0000-memory.dmp

        Filesize

        128KB

      • memory/4904-82-0x0000025E2C700000-0x0000025E2C720000-memory.dmp

        Filesize

        128KB