0840bf76133284d6a55f5278eb1dabe86fa472f69d21734cb035286e677c2a9b

Analysis

max time kernel
142s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

422e47dbf0e5bcd7e349f686f95e90ea.exe
Size

257KB
MD5

422e47dbf0e5bcd7e349f686f95e90ea
SHA1

19287bcf85b0c3e1691e34e8af21dc4e66ae94d3
SHA256

0840bf76133284d6a55f5278eb1dabe86fa472f69d21734cb035286e677c2a9b
SHA512

12dd2a6cbed5f6b2a7004c5e7a91591b7fede8a4fe302a1ed4fd46175b63afb7397795bc618f8d57c8ff86178eb8b0eca8b09af68545ffabf82632d0b43b9194
SSDEEP

3072:lprnHbr+kgB2xf6Vg7JGBWFsdGjVhjO0skG7CjjZyvtrWCSnto+HivUdY6VfcCzm:DHb0If6Vgkn+FAvbIojfCKGM

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\windll = "c:\\program files\\internet explorer\\RZ3.exe"	422e47dbf0e5bcd7e349f686f95e90ea.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\program files\internet explorer\RZ3.exe	422e47dbf0e5bcd7e349f686f95e90ea.exe
File opened for modification	\??\c:\program files\internet explorer\RZ3.exe	422e47dbf0e5bcd7e349f686f95e90ea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	1648	WerFault.exe	14

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	422e47dbf0e5bcd7e349f686f95e90ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\DriverDesc	422e47dbf0e5bcd7e349f686f95e90ea.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	422e47dbf0e5bcd7e349f686f95e90ea.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1648	422e47dbf0e5bcd7e349f686f95e90ea.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2792	1648	422e47dbf0e5bcd7e349f686f95e90ea.exe	28
PID 1648 wrote to memory of 2792	1648	422e47dbf0e5bcd7e349f686f95e90ea.exe	28
PID 1648 wrote to memory of 2792	1648	422e47dbf0e5bcd7e349f686f95e90ea.exe	28
PID 1648 wrote to memory of 2792	1648	422e47dbf0e5bcd7e349f686f95e90ea.exe	28

C:\Users\Admin\AppData\Local\Temp\422e47dbf0e5bcd7e349f686f95e90ea.exe
"C:\Users\Admin\AppData\Local\Temp\422e47dbf0e5bcd7e349f686f95e90ea.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 644
  2⤵
  - Program crash
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1648-3-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads