Analysis
-
max time kernel
45s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
FOTO20122.exe
Resource
win7-20240419-en
8 signatures
150 seconds
General
-
Target
FOTO20122.exe
-
Size
40KB
-
MD5
276b63aadfee1bb96f676dece72c41b3
-
SHA1
ac88780c6f1aed43d6792c5b51f101078cffde62
-
SHA256
fbf9b5bbba47b7b9dfc8c71e18f8459b30068fbd9797004a70afa8dbc73f60ed
-
SHA512
94a6c4084061eb24a7c7fa0a519dc5dfb0e8689d7e93592b70acf90859c21a792b03b862e9c5dc96007381285a98501b6d0a32f228457c6e2fb98570b283a7b8
-
SSDEEP
768:G+/OmTu2B51nCU8SeNfwqgyF2713SRbXODCmHRpC:G+/ru2b1nRe9S3S1AC
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
FOTO20122.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ FOTO20122.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ FOTO20122.exe -
Drops file in Windows directory 1 IoCs
Processes:
FOTO20122.exedescription ioc process File opened for modification C:\WINDOWS\addins\MediaPlay.dll FOTO20122.exe -
Modifies registry class 2 IoCs
Processes:
FOTO20122.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid FOTO20122.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass FOTO20122.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
FOTO20122.exepid process 3484 FOTO20122.exe 3484 FOTO20122.exe 3484 FOTO20122.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FOTO20122.execmd.exedescription pid process target process PID 3484 wrote to memory of 1552 3484 FOTO20122.exe cmd.exe PID 3484 wrote to memory of 1552 3484 FOTO20122.exe cmd.exe PID 3484 wrote to memory of 1552 3484 FOTO20122.exe cmd.exe PID 1552 wrote to memory of 2600 1552 cmd.exe reg.exe PID 1552 wrote to memory of 2600 1552 cmd.exe reg.exe PID 1552 wrote to memory of 2600 1552 cmd.exe reg.exe PID 3484 wrote to memory of 344 3484 FOTO20122.exe REGSVR32.EXE PID 3484 wrote to memory of 344 3484 FOTO20122.exe REGSVR32.EXE PID 3484 wrote to memory of 344 3484 FOTO20122.exe REGSVR32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\FOTO20122.exe"C:\Users\Admin\AppData\Local\Temp\FOTO20122.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:2600 -
C:\Windows\SysWOW64\REGSVR32.EXEC:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll2⤵PID:344