Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$TEMP/F1gaSebe_crypted.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$TEMP/F1gaSebe_crypted.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/Shortfalls.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$TEMP/Shortfalls.exe
Resource
win10v2004-20241007-en
General
-
Target
$TEMP/Shortfalls.exe
-
Size
3.6MB
-
MD5
1b8ae5c577608b9f780b3ad704679e0a
-
SHA1
4402007d8e5ca59fe704d543a417c77e39dce762
-
SHA256
039a6fd68c38bd081e9bca0181187df2653e501b5795d24ad6f895cf81c50bdf
-
SHA512
9cc97013331ef3d4fbce1d1656ee5a28c193a50eabbf8fd75f2f1a8c57c00d2b32f82bdb35896209e3d7e24babfed607656b6e4a11a910fa099fbc25340587b3
-
SSDEEP
98304:Gm+wj+XNf1GKVwspuM2ntX8RIx44l6MeNDkVly:262xwssMcX8q/bex2
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico Shortfalls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Shortfalls.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings Shortfalls.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Shortfalls.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Shortfalls.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Shortfalls.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1520 Shortfalls.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1520 Shortfalls.exe 1520 Shortfalls.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2748 1520 Shortfalls.exe 31 PID 1520 wrote to memory of 2748 1520 Shortfalls.exe 31 PID 1520 wrote to memory of 2748 1520 Shortfalls.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\Shortfalls.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\Shortfalls.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1520 -s 20682⤵PID:2748
-