Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
3210-9-A-2962-12-L/3210-9-A-2962-12-L.exe
Resource
win7-20240221-en
General
-
Target
3210-9-A-2962-12-L/3210-9-A-2962-12-L.exe
-
Size
646KB
-
MD5
13c682a062eeb266a8f1b56490a19e4b
-
SHA1
fc28cd5dd42aef8d52b786ffdbac7d17672b947e
-
SHA256
290b4f67f8205d1f7d1c6acf42263f9313270093dbad3ea9774be7df41b4cf16
-
SHA512
fc6ddf0e7111c38dd249162288ef3591ee80500824faa1ac08fa112d449d14ed821580c62d18fa9fca9248a7e8963a945d9abc64b442d90abda3de29da4578bd
-
SSDEEP
12288:IADWHQwxhctmk1ThJz1oek2a+J9xTFTbCJHsvLxPCULL3byOwVZQL9pU:VDDmQlTlR9zvCJMj9rLrmfaHU
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3210-9-A-2962-12-L.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-330940541-141609230-1670313778-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fontview.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\T4ZPPDS8QRBD = "C:\\Program Files (x86)\\Windows Mail\\wab.exe" fontview.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2064 powershell.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3210-9-A-2962-12-L.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3210-9-A-2962-12-L.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 2768 set thread context of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2452 set thread context of 2768 2452 wab.exe 27 PID 2452 set thread context of 2768 2452 wab.exe 27 PID 2452 set thread context of 2768 2452 wab.exe 27 PID 2452 set thread context of 1208 2452 wab.exe 21 PID 2452 set thread context of 324 2452 wab.exe 35 PID 324 set thread context of 2768 324 fontview.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2064 powershell.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 324 fontview.exe 324 fontview.exe 324 fontview.exe 324 fontview.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2452 wab.exe 2452 wab.exe 2452 wab.exe 2452 wab.exe 1208 Explorer.EXE 1208 Explorer.EXE 324 fontview.exe 324 fontview.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2768 3210-9-A-2962-12-L.exe Token: SeDebugPrivilege 2064 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2064 2768 3210-9-A-2962-12-L.exe 29 PID 2768 wrote to memory of 2064 2768 3210-9-A-2962-12-L.exe 29 PID 2768 wrote to memory of 2064 2768 3210-9-A-2962-12-L.exe 29 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2452 2768 3210-9-A-2962-12-L.exe 31 PID 2768 wrote to memory of 2580 2768 3210-9-A-2962-12-L.exe 32 PID 2768 wrote to memory of 2580 2768 3210-9-A-2962-12-L.exe 32 PID 2768 wrote to memory of 2580 2768 3210-9-A-2962-12-L.exe 32 PID 1208 wrote to memory of 324 1208 Explorer.EXE 35 PID 1208 wrote to memory of 324 1208 Explorer.EXE 35 PID 1208 wrote to memory of 324 1208 Explorer.EXE 35 PID 1208 wrote to memory of 324 1208 Explorer.EXE 35 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3210-9-A-2962-12-L.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe"C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3210-9-A-2962-12-L\3210-9-A-2962-12-L.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2452
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2768 -s 8363⤵PID:2580
-
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SysWOW64\fontview.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:324
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1