Analysis

  • max time kernel
    19s
  • max time network
    110s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-04-2024 19:47

General

  • Target

    VeryFun.exe

  • Size

    3.0MB

  • MD5

    ef7b3c31bc127e64627edd8b89b2ae54

  • SHA1

    310d606ec2f130013cc9d2f38a9cc13a2a34794a

  • SHA256

    8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

  • SHA512

    a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

  • SSDEEP

    49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8:Js/4ibecELz/RkO6LF4hRq5GKHmBBY

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Modifies AppInit DLL entries 2 TTPs
  • Modifies Installed Components in the registry 2 TTPs 64 IoCs
  • Sets file execution options in registry 2 TTPs 9 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 41 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies WinLogon 2 TTPs 64 IoCs
  • AutoIT Executable 29 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • System policy modification 1 TTPs 7 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2128
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3300
        • C:\Users\Admin\AppData\Local\Temp\VeryFun.exe
          "C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4684
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
              PID:3596
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Modifies WinLogon for persistence
              • Manipulates Digital Signatures
              • Modifies Installed Components in the registry
              • Sets file execution options in registry
              • Checks computer location settings
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Installs/modifies Browser Helper Object
              • Modifies WinLogon
              • Sets desktop wallpaper using registry
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • System policy modification
              PID:3744
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Suspicious behavior: GetForegroundWindowSpam
              PID:1156
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
              • Suspicious behavior: GetForegroundWindowSpam
              PID:1952
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
                PID:3340
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                  PID:4072
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  3⤵
                    PID:1300
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004B8
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1288
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:4928
                  • C:\Windows\System32\ie4uinit.exe
                    "C:\Windows\System32\ie4uinit.exe" -UserConfig
                    2⤵
                      PID:3460
                      • C:\Windows\System32\ie4uinit.exe
                        C:\Windows\System32\ie4uinit.exe -ClearIconCache
                        3⤵
                          PID:1104
                      • C:\Windows\System32\unregmp2.exe
                        "C:\Windows\System32\unregmp2.exe" /FirstLogon
                        2⤵
                          PID:2784
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
                          2⤵
                            PID:772
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae68
                              3⤵
                                PID:2152
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0
                                3⤵
                                  PID:1908
                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae68
                                    4⤵
                                      PID:3344
                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level
                                  2⤵
                                    PID:1544
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x248,0x24c,0x250,0x21c,0x254,0x7ff6dc9eeb10,0x7ff6dc9eeb20,0x7ff6dc9eeb30
                                      3⤵
                                        PID:3700
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut
                                        3⤵
                                          PID:5020
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb94e23cb8,0x7ffb94e23cc8,0x7ffb94e23cd8
                                            4⤵
                                              PID:5016

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Program Files\Google\Chrome\Application\SetupMetrics\27d6e799-a7fd-4369-847a-03995b7f42c2.tmp

                                        Filesize

                                        488B

                                        MD5

                                        6d971ce11af4a6a93a4311841da1a178

                                        SHA1

                                        cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                        SHA256

                                        338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                        SHA512

                                        c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\199606c1-1d0d-491f-9131-74bc9d165d48.dmp

                                        Filesize

                                        4.8MB

                                        MD5

                                        d98c0c75c630599b6ccb3e6466ea0119

                                        SHA1

                                        22bdb39d42c036b5be1e994e5f4d6e342d35e4bf

                                        SHA256

                                        2a8e1bcddefb3929f5c97a5d37a830e37897273b7f8b88db790d9b5f0c372ac5

                                        SHA512

                                        d0747d96de7cfc7a9c4da41cf6e3ab17c71f85503c176a2f63af7ba8bc9b30bfb45ac76ea021d357fe0b165f776d3cc0bed12a52c5e7d3ee139a653f76a60655

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        704d4cabea796e63d81497ab24b05379

                                        SHA1

                                        b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

                                        SHA256

                                        3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

                                        SHA512

                                        0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

                                      • C:\Users\Admin\AppData\Local\Temp\RGIEB17.tmp

                                        Filesize

                                        24KB

                                        MD5

                                        dd4f5026aa316d4aec4a9d789e63e67b

                                        SHA1

                                        fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153

                                        SHA256

                                        8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737

                                        SHA512

                                        3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

                                      • C:\Users\Admin\AppData\Local\Temp\RGIEB3A.tmp

                                        Filesize

                                        3KB

                                        MD5

                                        a828b8c496779bdb61fce06ba0d57c39

                                        SHA1

                                        2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

                                        SHA256

                                        c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

                                        SHA512

                                        effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

                                      • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                        Filesize

                                        8KB

                                        MD5

                                        802a45170dfcd6f48c575c93902456cf

                                        SHA1

                                        b6d26ccbb32aee5c17f57103f7244fa1a4ad9111

                                        SHA256

                                        1b3172603138de664da041c2f3f4ee93b22e69155f66c8dd3b9eef1e1aa4b47a

                                        SHA512

                                        2968928dc36df6766acb7b26867682641fc51bd3a6f2a66d46e39d6c30fa5a20b32d870874c41fc6cf46a5210d55bcdc0dcf0a1db337fe00934ce06d0a453e93

                                      • C:\Windows\TEMP\Crashpad\settings.dat

                                        Filesize

                                        40B

                                        MD5

                                        f253896b9ddf47a15eb8932fdf7caf07

                                        SHA1

                                        1b52ed22b1d9a9838ae183eb982d7a4bfb8a1304

                                        SHA256

                                        046f7d44ec9ff7bd53a01226b5bb0425cd14ac6654028b1afebda035409082a2

                                        SHA512

                                        eb2e4bdebaa30d56de2ab5dd4eb21a4ba21b9047ccffc9455b5df3394b8cf7d661be2c1aede918a86225af961d05d8296a17832b06db48f410f73ba9fe696c3f

                                      • memory/1156-22-0x0000000001100000-0x000000000120C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1156-21-0x0000000001100000-0x000000000120C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1156-20-0x0000000001100000-0x000000000120C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1300-40-0x0000000001380000-0x000000000148C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1300-39-0x0000000001380000-0x000000000148C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1300-41-0x0000000001380000-0x000000000148C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1952-26-0x0000000000960000-0x0000000000A6C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1952-25-0x0000000000960000-0x0000000000A6C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/1952-24-0x0000000000960000-0x0000000000A6C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/3300-54-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-46-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-48-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-50-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-43-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-51-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-52-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3300-56-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3340-28-0x0000000001310000-0x000000000141C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/3340-29-0x0000000001310000-0x000000000141C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/3340-30-0x0000000001310000-0x000000000141C000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/3596-5-0x0000000000E00000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        1.6MB

                                      • memory/3596-6-0x0000000000E00000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        1.6MB

                                      • memory/3596-32-0x0000000000E00000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        1.6MB

                                      • memory/3596-38-0x0000000010000000-0x0000000010013000-memory.dmp

                                        Filesize

                                        76KB

                                      • memory/3596-18-0x0000000001C10000-0x0000000001C11000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3596-19-0x0000000010000000-0x0000000010013000-memory.dmp

                                        Filesize

                                        76KB

                                      • memory/3596-4-0x0000000000E00000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        1.6MB

                                      • memory/3596-17-0x0000000010000000-0x0000000010013000-memory.dmp

                                        Filesize

                                        76KB

                                      • memory/3596-16-0x0000000010000000-0x0000000010013000-memory.dmp

                                        Filesize

                                        76KB

                                      • memory/3596-14-0x0000000010000000-0x0000000010013000-memory.dmp

                                        Filesize

                                        76KB

                                      • memory/3596-3-0x0000000000E00000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        1.6MB

                                      • memory/3744-13-0x0000000000700000-0x00000000007F4000-memory.dmp

                                        Filesize

                                        976KB

                                      • memory/3744-12-0x0000000000700000-0x00000000007F4000-memory.dmp

                                        Filesize

                                        976KB

                                      • memory/3744-36-0x0000000000700000-0x00000000007F4000-memory.dmp

                                        Filesize

                                        976KB

                                      • memory/3744-11-0x0000000000700000-0x00000000007F4000-memory.dmp

                                        Filesize

                                        976KB

                                      • memory/3744-7-0x0000000000700000-0x00000000007F4000-memory.dmp

                                        Filesize

                                        976KB

                                      • memory/3744-37-0x0000000000700000-0x00000000007F4000-memory.dmp

                                        Filesize

                                        976KB

                                      • memory/4684-53-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-31-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-0-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-55-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-42-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-57-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-44-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-49-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-45-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-47-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-27-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-23-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-1-0x0000000003D70000-0x0000000003D7B000-memory.dmp

                                        Filesize

                                        44KB

                                      • memory/4684-139-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-140-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-141-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-142-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-143-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB

                                      • memory/4684-144-0x00000000004F0000-0x0000000000B2D000-memory.dmp

                                        Filesize

                                        6.2MB