Analysis Overview
SHA256
33871c084b06e67d2fb8cc19c672ed27ce604c17ec8519bc44c85a2b1765475e
Threat Level: Shows suspicious behavior
The file Setup_v_43.3.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 18:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 18:54
Reported
2024-02-22 18:55
Platform
win7-20240221-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D058E531-D1B3-11EE-B2DC-EA263619F6CB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D058E533-D1B3-11EE-B2DC-EA263619F6CB}.dat = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UndoAssert.rm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | java.com | udp |
| GB | 92.123.128.139:80 | java.com | tcp |
| GB | 92.123.128.139:80 | java.com | tcp |
| US | 8.8.8.8:53 | www.java.com | udp |
| GB | 92.123.128.169:80 | www.java.com | tcp |
| GB | 92.123.128.169:80 | www.java.com | tcp |
| GB | 92.123.128.169:443 | www.java.com | tcp |
| US | 8.8.8.8:53 | static.ocecdn.oraclecloud.com | udp |
| GB | 23.204.227.109:443 | static.ocecdn.oraclecloud.com | tcp |
| GB | 23.204.227.109:443 | static.ocecdn.oraclecloud.com | tcp |
Files
memory/2892-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2868-33-0x000000013F160000-0x000000013F258000-memory.dmp
memory/2868-34-0x000007FEFAFD0000-0x000007FEFB004000-memory.dmp
memory/2868-35-0x000007FEF5CA0000-0x000007FEF5F54000-memory.dmp
memory/2868-36-0x000007FEFB310000-0x000007FEFB328000-memory.dmp
memory/2868-37-0x000007FEF7670000-0x000007FEF7687000-memory.dmp
memory/2868-38-0x000007FEF7600000-0x000007FEF7611000-memory.dmp
memory/2868-39-0x000007FEF7490000-0x000007FEF74A7000-memory.dmp
memory/2868-40-0x000007FEF7470000-0x000007FEF7481000-memory.dmp
memory/2868-41-0x000007FEF7450000-0x000007FEF746D000-memory.dmp
memory/2868-42-0x000007FEF7430000-0x000007FEF7441000-memory.dmp
memory/2868-43-0x000007FEF5AA0000-0x000007FEF5CA0000-memory.dmp
memory/2868-44-0x000007FEF73F0000-0x000007FEF742F000-memory.dmp
memory/2868-45-0x000007FEF39B0000-0x000007FEF4A5B000-memory.dmp
memory/2868-46-0x000007FEF68A0000-0x000007FEF68C1000-memory.dmp
memory/2868-47-0x000007FEF73D0000-0x000007FEF73E8000-memory.dmp
memory/2868-48-0x000007FEF6880000-0x000007FEF6891000-memory.dmp
memory/2868-49-0x000007FEF6860000-0x000007FEF6871000-memory.dmp
memory/2868-50-0x000007FEF6840000-0x000007FEF6851000-memory.dmp
memory/2868-51-0x000007FEF63C0000-0x000007FEF63DB000-memory.dmp
memory/2868-52-0x000007FEF63A0000-0x000007FEF63B1000-memory.dmp
memory/2868-53-0x000007FEF6380000-0x000007FEF6398000-memory.dmp
memory/2868-54-0x000007FEF6350000-0x000007FEF6380000-memory.dmp
memory/2868-55-0x000007FEF62E0000-0x000007FEF6347000-memory.dmp
memory/2868-56-0x000007FEF5A30000-0x000007FEF5A9F000-memory.dmp
memory/2868-57-0x000007FEF5A10000-0x000007FEF5A21000-memory.dmp
memory/2868-58-0x000007FEF59B0000-0x000007FEF5A06000-memory.dmp
memory/2868-59-0x000007FEF5980000-0x000007FEF59A8000-memory.dmp
memory/2868-60-0x000007FEF5950000-0x000007FEF5974000-memory.dmp
memory/2868-61-0x000007FEF5930000-0x000007FEF5947000-memory.dmp
memory/2868-62-0x000007FEF5900000-0x000007FEF5923000-memory.dmp
memory/2868-63-0x000007FEF58E0000-0x000007FEF58F1000-memory.dmp
memory/2868-64-0x000007FEF58C0000-0x000007FEF58D2000-memory.dmp
memory/2868-65-0x000007FEF5890000-0x000007FEF58B1000-memory.dmp
memory/2868-66-0x000007FEF5870000-0x000007FEF5883000-memory.dmp
memory/2868-67-0x000007FEF5850000-0x000007FEF5862000-memory.dmp
memory/2868-68-0x000007FEF5710000-0x000007FEF584B000-memory.dmp
memory/2868-69-0x000007FEF56E0000-0x000007FEF570C000-memory.dmp
memory/2868-82-0x000007FEF5040000-0x000007FEF5053000-memory.dmp
memory/2868-81-0x000007FEF5060000-0x000007FEF5072000-memory.dmp
memory/2868-83-0x000007FEF4FA0000-0x000007FEF503F000-memory.dmp
memory/2868-80-0x000007FEF5080000-0x000007FEF5091000-memory.dmp
memory/2868-79-0x000007FEF50A0000-0x000007FEF5101000-memory.dmp
memory/2868-78-0x000007FEF5110000-0x000007FEF5121000-memory.dmp
memory/2868-77-0x000007FEF5130000-0x000007FEF5155000-memory.dmp
memory/2868-76-0x000007FEF5160000-0x000007FEF5195000-memory.dmp
memory/2868-75-0x000007FEF51A0000-0x000007FEF53D1000-memory.dmp
memory/2868-74-0x000007FEF53E0000-0x000007FEF53F2000-memory.dmp
memory/2868-73-0x000007FEF5400000-0x000007FEF5497000-memory.dmp
memory/2868-72-0x000007FEF54A0000-0x000007FEF54B1000-memory.dmp
memory/2868-71-0x000007FEF54C0000-0x000007FEF551C000-memory.dmp
memory/2868-70-0x000007FEF5520000-0x000007FEF56D2000-memory.dmp
memory/2868-84-0x000007FEF4F80000-0x000007FEF4F91000-memory.dmp
memory/2868-86-0x000007FEF4E50000-0x000007FEF4E61000-memory.dmp
memory/2868-85-0x000007FEF4E70000-0x000007FEF4F72000-memory.dmp
memory/2868-87-0x000007FEF4CD0000-0x000007FEF4E48000-memory.dmp
memory/2868-88-0x000007FEF4CB0000-0x000007FEF4CC7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 18:54
Reported
2024-02-22 18:55
Platform
win10v2004-20240221-en
Max time kernel
25s
Max time network
30s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1876 wrote to memory of 3720 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 1876 wrote to memory of 3720 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 3720 wrote to memory of 3916 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
| PID 3720 wrote to memory of 3916 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/1876-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3720-3-0x0000012143170000-0x0000012144170000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | dffe1e5285db31a952ddd0f0b886c73c |
| SHA1 | 80c2719af0d5361f359d79ae5e21cc49322db813 |
| SHA256 | fa99e83d620380efcc8112bd135b899b1baaee0f297862268ddf96160f54e342 |
| SHA512 | a5ee6d8cb6e77a78308ac6aef3aa384a92a64907b2f0f32d2aa414e0f0f53e7f41855cefae92f7e622b4f624fa83e9fcd5d5ffd5b3d8049d084421a6d05c881a |
memory/3720-14-0x0000012143150000-0x0000012143151000-memory.dmp