Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
FOTO20122.exe
Resource
win7-20240419-en
8 signatures
150 seconds
General
-
Target
FOTO20122.exe
-
Size
40KB
-
MD5
276b63aadfee1bb96f676dece72c41b3
-
SHA1
ac88780c6f1aed43d6792c5b51f101078cffde62
-
SHA256
fbf9b5bbba47b7b9dfc8c71e18f8459b30068fbd9797004a70afa8dbc73f60ed
-
SHA512
94a6c4084061eb24a7c7fa0a519dc5dfb0e8689d7e93592b70acf90859c21a792b03b862e9c5dc96007381285a98501b6d0a32f228457c6e2fb98570b283a7b8
-
SSDEEP
768:G+/OmTu2B51nCU8SeNfwqgyF2713SRbXODCmHRpC:G+/ru2b1nRe9S3S1AC
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
FOTO20122.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ FOTO20122.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ FOTO20122.exe -
Drops file in Windows directory 1 IoCs
Processes:
FOTO20122.exedescription ioc process File opened for modification C:\WINDOWS\addins\MediaPlay.dll FOTO20122.exe -
Processes:
FOTO20122.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main FOTO20122.exe -
Modifies registry class 2 IoCs
Processes:
FOTO20122.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid FOTO20122.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass FOTO20122.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
FOTO20122.exepid process 2148 FOTO20122.exe 2148 FOTO20122.exe 2148 FOTO20122.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
FOTO20122.execmd.exedescription pid process target process PID 2148 wrote to memory of 3036 2148 FOTO20122.exe cmd.exe PID 2148 wrote to memory of 3036 2148 FOTO20122.exe cmd.exe PID 2148 wrote to memory of 3036 2148 FOTO20122.exe cmd.exe PID 2148 wrote to memory of 3036 2148 FOTO20122.exe cmd.exe PID 3036 wrote to memory of 2692 3036 cmd.exe reg.exe PID 3036 wrote to memory of 2692 3036 cmd.exe reg.exe PID 3036 wrote to memory of 2692 3036 cmd.exe reg.exe PID 3036 wrote to memory of 2692 3036 cmd.exe reg.exe PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE PID 2148 wrote to memory of 2520 2148 FOTO20122.exe REGSVR32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\FOTO20122.exe"C:\Users\Admin\AppData\Local\Temp\FOTO20122.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:2692 -
C:\Windows\syswow64\REGSVR32.EXEC:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll2⤵PID:2520