Analysis
-
max time kernel
42s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
3c17072460aa23cf616534a6bd598572.exe
Resource
win7-20231215-en
General
-
Target
3c17072460aa23cf616534a6bd598572.exe
-
Size
44KB
-
MD5
3c17072460aa23cf616534a6bd598572
-
SHA1
1fe72774a703e1686335064f82c5c95736de3676
-
SHA256
47e5df70654cbcabc73440e2e29aa962baa66e09cfef1973cd9084c7b5b91b74
-
SHA512
979a140476a2c2db40f3b6da3c01d4f53790fbf001567fb159ce3b221ca9fa5ad8b7d184cde0f511ddb45be1e485563f38a99d04dd8e92f802b4e4b8de241b8f
-
SSDEEP
768:S/wzud6HJRgZR8jzcGg1nTGOuSijvCIvM3KOMMMMMMMMMMMMMMMMMMMMMMMMMMMS:86LgZRAoGgBFYeBVFT
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3c17072460aa23cf616534a6bd598572.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 3c17072460aa23cf616534a6bd598572.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 3c17072460aa23cf616534a6bd598572.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3c17072460aa23cf616534a6bd598572.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2108 set thread context of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\system\wincal.exe 3c17072460aa23cf616534a6bd598572.exe File created C:\WINDOWS\system\wincal.exe 3c17072460aa23cf616534a6bd598572.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1700 3c17072460aa23cf616534a6bd598572.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2108 3c17072460aa23cf616534a6bd598572.exe 1700 3c17072460aa23cf616534a6bd598572.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 2108 wrote to memory of 1700 2108 3c17072460aa23cf616534a6bd598572.exe 18 PID 1700 wrote to memory of 2204 1700 3c17072460aa23cf616534a6bd598572.exe 31 PID 1700 wrote to memory of 2204 1700 3c17072460aa23cf616534a6bd598572.exe 31 PID 1700 wrote to memory of 2204 1700 3c17072460aa23cf616534a6bd598572.exe 31 PID 1700 wrote to memory of 2204 1700 3c17072460aa23cf616534a6bd598572.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3c17072460aa23cf616534a6bd598572.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe"C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe"C:\Users\Admin\AppData\Local\Temp\3c17072460aa23cf616534a6bd598572.exe"2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.cl/3⤵
- Modifies Internet Explorer settings
PID:2204
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:21⤵PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c2277d11ce83c4bab740da7f8725fb5b
SHA1f2509d946b59d21ed2499a6667440a0c0c126e28
SHA256a4a2bd1ae97993d79af49b32f146b74b077e48f16b4a1e6a5db492d7250788cf
SHA512e349048f487ae792f3dd3d078d1f329bbb3bde3c6ff4f12ea1d6e1b54cef64ac0726f16a3d90f87d6c9b636606c3645d050b39433fb86aa21496db39633c69f5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d