Analysis

  • max time kernel
    23s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 19:47

General

  • Target

    VeryFun.exe

  • Size

    3.0MB

  • MD5

    ef7b3c31bc127e64627edd8b89b2ae54

  • SHA1

    310d606ec2f130013cc9d2f38a9cc13a2a34794a

  • SHA256

    8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

  • SHA512

    a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

  • SSDEEP

    49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8:Js/4ibecELz/RkO6LF4hRq5GKHmBBY

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Modifies AppInit DLL entries 2 TTPs
  • Modifies Installed Components in the registry 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 41 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies WinLogon 2 TTPs 64 IoCs
  • AutoIT Executable 28 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 11 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2052
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3552
        • C:\Users\Admin\AppData\Local\Temp\VeryFun.exe
          "C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
              PID:464
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Modifies WinLogon for persistence
              • Manipulates Digital Signatures
              • Modifies Installed Components in the registry
              • Checks computer location settings
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Installs/modifies Browser Helper Object
              • Modifies WinLogon
              • Sets desktop wallpaper using registry
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • System policy modification
              PID:924
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Suspicious behavior: GetForegroundWindowSpam
              PID:3992
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Suspicious behavior: GetForegroundWindowSpam
              PID:2188
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Suspicious behavior: GetForegroundWindowSpam
              PID:3928
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
                PID:712
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                  PID:2180
            • C:\Windows\system32\AUDIODG.EXE
              C:\Windows\system32\AUDIODG.EXE 0x524 0x51c
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3024
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:548
                • C:\Windows\System32\ie4uinit.exe
                  "C:\Windows\System32\ie4uinit.exe" -UserConfig
                  2⤵
                    PID:3404
                    • C:\Windows\System32\ie4uinit.exe
                      C:\Windows\System32\ie4uinit.exe -ClearIconCache
                      3⤵
                        PID:4496
                        • C:\Windows\system32\RunDll32.exe
                          C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                          4⤵
                            PID:1176
                          • C:\Windows\system32\RunDll32.exe
                            C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                            4⤵
                              PID:956
                        • C:\Windows\System32\unregmp2.exe
                          "C:\Windows\System32\unregmp2.exe" /FirstLogon
                          2⤵
                            PID:2264
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
                            2⤵
                              PID:1476
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae68
                                3⤵
                                  PID:2260
                                • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0
                                  3⤵
                                    PID:4620
                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x224,0x248,0x24c,0x78,0x250,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae68
                                      4⤵
                                        PID:3168
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge
                                    2⤵
                                      PID:4900
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff679325460,0x7ff679325470,0x7ff679325480
                                        3⤵
                                          PID:2848
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut
                                          3⤵
                                            PID:4948
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeaddd46f8,0x7ffeaddd4708,0x7ffeaddd4718
                                              4⤵
                                                PID:1360

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files\Google\Chrome\Application\SetupMetrics\25285606-14a6-48a3-bb51-0a675a3e0f14.tmp

                                          Filesize

                                          488B

                                          MD5

                                          6d971ce11af4a6a93a4311841da1a178

                                          SHA1

                                          cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                          SHA256

                                          338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                          SHA512

                                          c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          ea98e583ad99df195d29aa066204ab56

                                          SHA1

                                          f89398664af0179641aa0138b337097b617cb2db

                                          SHA256

                                          a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

                                          SHA512

                                          e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

                                        • C:\Users\Admin\AppData\Local\Temp\RGI99C5.tmp

                                          Filesize

                                          24KB

                                          MD5

                                          dd4f5026aa316d4aec4a9d789e63e67b

                                          SHA1

                                          fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153

                                          SHA256

                                          8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737

                                          SHA512

                                          3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

                                        • C:\Users\Admin\AppData\Local\Temp\RGI99E9.tmp

                                          Filesize

                                          3KB

                                          MD5

                                          a828b8c496779bdb61fce06ba0d57c39

                                          SHA1

                                          2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

                                          SHA256

                                          c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

                                          SHA512

                                          effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          8KB

                                          MD5

                                          0aa22364f7b837652afb323504680abd

                                          SHA1

                                          ac806b580a795cbaa32e33131980145bf18282cd

                                          SHA256

                                          48434bf87dd82ecd09ccf48d1a2f6b6e3357cb0c5b37dc1a80a7903ea570d91a

                                          SHA512

                                          ccd50fc8a6a99a74a8a6f0fd33c917e217335c22d621d9689771561d06fe3d6cdc9a67c8c03dc9b7a3d97561d32f7e377604013bf00732be5e90a3ae5a4a53a6

                                        • C:\Windows\TEMP\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          295c35172675c56d85b3271fc5adbaf7

                                          SHA1

                                          fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

                                          SHA256

                                          f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

                                          SHA512

                                          15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

                                        • memory/464-5-0x0000000000780000-0x000000000091C000-memory.dmp

                                          Filesize

                                          1.6MB

                                        • memory/464-6-0x0000000000780000-0x000000000091C000-memory.dmp

                                          Filesize

                                          1.6MB

                                        • memory/464-7-0x0000000000780000-0x000000000091C000-memory.dmp

                                          Filesize

                                          1.6MB

                                        • memory/464-36-0x0000000000780000-0x000000000091C000-memory.dmp

                                          Filesize

                                          1.6MB

                                        • memory/464-18-0x0000000010000000-0x0000000010013000-memory.dmp

                                          Filesize

                                          76KB

                                        • memory/464-17-0x0000000002F40000-0x0000000002F41000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/464-16-0x0000000010000000-0x0000000010013000-memory.dmp

                                          Filesize

                                          76KB

                                        • memory/464-15-0x0000000010000000-0x0000000010013000-memory.dmp

                                          Filesize

                                          76KB

                                        • memory/464-13-0x0000000010000000-0x0000000010013000-memory.dmp

                                          Filesize

                                          76KB

                                        • memory/464-3-0x0000000000780000-0x000000000091C000-memory.dmp

                                          Filesize

                                          1.6MB

                                        • memory/464-41-0x0000000010000000-0x0000000010013000-memory.dmp

                                          Filesize

                                          76KB

                                        • memory/548-119-0x0000000002A30000-0x0000000002A31000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/608-35-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-54-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-1-0x0000000004450000-0x0000000004451000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/608-118-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-2-0x0000000004460000-0x000000000446B000-memory.dmp

                                          Filesize

                                          44KB

                                        • memory/608-31-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-55-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-24-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-53-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-0-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-52-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-51-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-50-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-49-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-48-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-47-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-42-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-46-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-44-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/608-45-0x00000000004A0000-0x0000000000ADD000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/712-33-0x0000000000F00000-0x000000000100C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/712-32-0x0000000000F00000-0x000000000100C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/712-34-0x0000000000F00000-0x000000000100C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/924-12-0x0000000000F20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          976KB

                                        • memory/924-8-0x0000000000F20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          976KB

                                        • memory/924-37-0x0000000000F20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          976KB

                                        • memory/924-10-0x0000000000F20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          976KB

                                        • memory/924-11-0x0000000000F20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          976KB

                                        • memory/924-43-0x0000000000F20000-0x0000000001014000-memory.dmp

                                          Filesize

                                          976KB

                                        • memory/2180-39-0x0000000001020000-0x000000000112C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/2180-40-0x0000000001020000-0x000000000112C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/2180-38-0x0000000001020000-0x000000000112C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/2188-27-0x0000000000600000-0x000000000070C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/2188-26-0x0000000000600000-0x000000000070C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/2188-25-0x0000000000600000-0x000000000070C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/3992-21-0x0000000001300000-0x000000000140C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/3992-22-0x0000000001300000-0x000000000140C000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/3992-23-0x0000000001300000-0x000000000140C000-memory.dmp

                                          Filesize

                                          1.0MB