Analysis
-
max time kernel
128s -
max time network
113s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/09/2024, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
fontdrvhost.exe
Resource
win11-20240802-en
General
-
Target
fontdrvhost.exe
-
Size
904KB
-
MD5
f41ddb7839baaf8afb9e06244cca63af
-
SHA1
a28a821a6259a502291085e606c3d6695f76b77e
-
SHA256
bb87be5fac469d9486bd959166ad1a879a361651450fef3ab4e23d89e387aac2
-
SHA512
d9af2a8786067027b3e13200f2102c3df58db236c3aba1f2b2f6adbd4de49e867991120f1afac9642e9d647c5e2c3f5da121f19baf9ec11bc441a0fb5f001421
-
SSDEEP
12288:gpM6njfvne5t4vVc5mbljYDuRm/e5t4vVc5mbljYDuRmg5t4vVc5mbljYDuRm4:unbAmmCsbAmmCKAmmC5
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4608 4616 WerFault.exe 77 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4092 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1452 taskmgr.exe Token: SeSystemProfilePrivilege 1452 taskmgr.exe Token: SeCreateGlobalPrivilege 1452 taskmgr.exe Token: SeSecurityPrivilege 1452 taskmgr.exe Token: SeTakeOwnershipPrivilege 1452 taskmgr.exe Token: 33 1452 taskmgr.exe Token: SeIncBasePriorityPrivilege 1452 taskmgr.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of SendNotifyMessage 59 IoCs
pid Process 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3616 MiniSearchHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe"C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 10882⤵
- Program crash
PID:4608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4616 -ip 46161⤵PID:384
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2332
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TestProtect.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4092
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:776
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1848
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2132
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3116
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5fcc3b62ba0485e297da5e5ff6779978d
SHA14976727f5962e036f4ed1a44c03757cb1efe0cce
SHA2563fca3f9b915ed3a1573d6dc5a163c0717d6eaab899abcdebb6869d00fa605ced
SHA512a3cbc334b9f3860e37a9785b5e5c2278a8032f5d2dd8ea9dc8096f11a7a6ca17758a36480f7dbedae4a6e11707a499d8965ae9e6e9a9d32bf704274b04adb3c0