Overview

overview

8

Static

static

3

SFMC-1.0.1...ll.exe

windows7-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SFMC-1.0.15.5-Setup-Full.exe

  • Size

    2.8MB

  • MD5

    d6695fff359feb51af51cc379dd28c65

  • SHA1

    16c24eaeea9f35da5713bf1bc93cb33f5445f4fc

  • SHA256

    40cb94e431dac4df195e08238d262a416ec313c1e8acdf4b58231297dc2439c2

  • SHA512

    ca59b2202a0ec68f78db20fc653bbcc2c169bb55a24c3fccc14352be858efddabdb3b3fa3cdcb606281144a6194b815060634f6ac895f03be3c0f53196f921f4

  • SSDEEP

    49152:QqhznQaNha3Ge2dmTAEfrzRT1OxiGrcO4ELxRpOiaOYxMMui1XRhxQaNHRW7CLbB:d1QA6dSqAQhYdOlEi1X1aCvmA

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe
    "C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp" /SL5="$30148,2514860,230912,C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /IM MCThemerUI.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe
        "C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:476
        • C:\Windows\System32\takeown.exe
          "C:\Windows\System32\takeown.exe" /f "C:\Windows\ehome" /r /d y
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1912
        • C:\Windows\System32\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\Windows\ehome" /grant BUILTIN\Administrators:F /t
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe
    Filesize

    2.4MB

    MD5

    a783a35a0314f652592d2eaeaaad96a6

    SHA1

    34a11a795258aa685a5a8ecd1c9ce1c5f05ee68b

    SHA256

    6dcf16a0dc6f5540dc71a47df2096750ef998d14be52800f790f8563804e7cad

    SHA512

    c25368066045466a2952c8d2876eb6e67eb0a9821f9fddd7959a2ff51dc9e0dc02770e28a3afa44493fd56d51d3d9d00a2f1a986911f3a776b232222c12be1c3

    Download Submit

  • \Program Files (x86)\System Functions Software\Media Center Themer\unins000.exe
    Filesize

    872KB

    MD5

    bbd08bc03eaa9e351c4a996296d56cbd

    SHA1

    ef26352f0982cfe7a1028d298aa7588239b1b879

    SHA256

    f595c5736014eef5c5ce6e9eae682a8549c717b2b845404dae8b66ca81973175

    SHA512

    c73b0cdbe6a6deae1a35909df76aa68f964a5b8bc5dc812034a14475ca0a3003e30828b1c9de45734e92ee9a5704d8ddde783cf8a1e9e664397e3ebce0cd1f92

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-KB874.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
    Filesize

    861KB

    MD5

    89ae994d144376496da7226c96874451

    SHA1

    8f4cd0fe90b8017e2984d918ceef5fdead9ce308

    SHA256

    770047e65bf5ee822edaff53beb019a2bd521a4cd32aab73264e6b5ca75965bb

    SHA512

    013ec11f2f6bdf7db36d1ed1c942a2a8c8c94b8da6547518ca2be594da416cbe9f24ccfd0092551b70b8fac1baf90c04e6d42d921d7c7ff16e7c2b31d5692ede

    Download Submit

  • memory/476-45-0x0000000000BA0000-0x0000000000E0E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/476-54-0x000000001F330000-0x000000001F340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2332-0-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2332-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2332-15-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2332-50-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2540-14-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

    Download

  • memory/2540-49-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

    Download

  • memory/2540-19-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

    Download

  • memory/2540-17-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

    Download