Analysis
-
max time kernel
1s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 03:40
Behavioral task
behavioral1
Sample
4a5783b883b52012f1b0c2852f4f71c3.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a5783b883b52012f1b0c2852f4f71c3.exe
Resource
win10v2004-20231222-en
7 signatures
150 seconds
General
-
Target
4a5783b883b52012f1b0c2852f4f71c3.exe
-
Size
661KB
-
MD5
4a5783b883b52012f1b0c2852f4f71c3
-
SHA1
87109375237f028d3a567cd7e0f030619dcc4a05
-
SHA256
21162829c287f0ffacaa0f31372995b2b78c873cea38785b1eaa89c93b33d26a
-
SHA512
c16fecf77e0a404f4d01130b41d1f1cbdf39c6be48436b17744b034e85d446de03f776f55868e3d0e353a3ceeafcfbea477d734de8759f4ccfb2b54cf81694e3
-
SSDEEP
12288:mSI2A2u/WGo+n31k1OxVGL5xLz7MGuU/YuLW4htuM7Cy90Xg:XI72u/WGo41kSGtx37rYuLoyYg
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3364-0-0x00000000008A0000-0x0000000000A60000-memory.dmp upx behavioral2/memory/3364-3-0x00000000008A0000-0x0000000000A60000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3364 4a5783b883b52012f1b0c2852f4f71c3.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5056 3364 WerFault.exe 14 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4a5783b883b52012f1b0c2852f4f71c3.exe = "11001" 4a5783b883b52012f1b0c2852f4f71c3.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}" 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\ = "Setup.Application" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F} 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS\ = "0" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID\ = "{017E057B-DACF-4A07-B878-E294565E3F90}" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967} 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID\ = "Setup.Application" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32\ = "ole32.dll" 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\ = "Setup" 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ = "Setup.Application" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5783b883b52012f1b0c2852f4f71c3.exe\"" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR\ 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup" 4a5783b883b52012f1b0c2852f4f71c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 4a5783b883b52012f1b0c2852f4f71c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90} 4a5783b883b52012f1b0c2852f4f71c3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe 3364 4a5783b883b52012f1b0c2852f4f71c3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe"C:\Users\Admin\AppData\Local\Temp\4a5783b883b52012f1b0c2852f4f71c3.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 23642⤵
- Program crash
PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3364 -ip 33641⤵PID:3796