c9965088b9c0333c1f95e4d0738cee30bce1297e6c51cdf9493ace105b95d098

Analysis

max time kernel
192s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

filmora_setup_full1081.exe
Size

2.0MB
MD5

2cebe47b7173d9c5347df5fefda7aa4d
SHA1

47fd78c898c19450e8b4392b2db648513b50a8aa
SHA256

c9965088b9c0333c1f95e4d0738cee30bce1297e6c51cdf9493ace105b95d098
SHA512

f069ea55e7db63c4b799a9a924ba20f7722cb01ad7b3f8d5f3e98368d2c8f784d088fcbd18929200b8188d1abdd3da89ffef98e2ac31c7240dd21fe50cecf62d
SSDEEP

49152:H05czfx+MZ5oqTGOFDyhFufVjypTQa9NSab8us1:HIczfX6mjFtfVm9NG

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NFWCHK.exe

pid process

924 NFWCHK.exe

pid	process
924	NFWCHK.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Control Panel 1 IoCs
evasion

Processes:

filmora_setup_full1081.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\MuiCached filmora_setup_full1081.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\MuiCached	filmora_setup_full1081.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4120 taskmgr.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description pid process

Token: SeDebugPrivilege 4120 taskmgr.exe
Token: SeSystemProfilePrivilege 4120 taskmgr.exe
Token: SeCreateGlobalPrivilege 4120 taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4120	taskmgr.exe
Token: SeSystemProfilePrivilege	4120	taskmgr.exe
Token: SeCreateGlobalPrivilege	4120	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe
4120	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

filmora_setup_full1081.exe

pid process

516 filmora_setup_full1081.exe
516 filmora_setup_full1081.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

filmora_setup_full1081.exe

description pid process target process

PID 516 wrote to memory of 924 516 filmora_setup_full1081.exe NFWCHK.exe
PID 516 wrote to memory of 924 516 filmora_setup_full1081.exe NFWCHK.exe

pid	process
516	filmora_setup_full1081.exe
516	filmora_setup_full1081.exe

description	pid	process	target process
PID 516 wrote to memory of 924	516	filmora_setup_full1081.exe	NFWCHK.exe
PID 516 wrote to memory of 924	516	filmora_setup_full1081.exe	NFWCHK.exe

C:\Users\Admin\AppData\Local\Temp\filmora_setup_full1081.exe
"C:\Users\Admin\AppData\Local\Temp\filmora_setup_full1081.exe"
1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
2⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\f4b1335f1dec405abd25f34a8f6cecc1 /t 2700 /p 516
1⤵
PID:3176

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsduilib.log
Filesize
5KB

MD5
c2e7af7ee5dd17830b16bab842465ada

SHA1
667c423d231691ab5fcc4b105a0ceea61872aebf

SHA256
04bd471e273c3941e344d2fe3b11dcd764d233ecbeed6a0a7b862c204e8f9ec1

SHA512
d8e3c30849e7c30a784afb21c2c6ba1b179a3ce21fc18e012b43e80f8c61aae7ed078ffb89452f68dbdb3e7501e6fa815d10937c765ae01f98becee5a9af99f7

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/924-1151-0x00007FFA136A5000-0x00007FFA136A6000-memory.dmp

Filesize
4KB

Download
memory/924-1152-0x0000000000F50000-0x0000000000F74000-memory.dmp

Filesize
144KB

Download
memory/924-1153-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

Filesize
96KB

Download
memory/924-1154-0x0000000000FE0000-0x0000000001000000-memory.dmp

Filesize
128KB

Download
memory/924-1155-0x00007FFA133F0000-0x00007FFA13D91000-memory.dmp

Filesize
9.6MB

Download
memory/924-1156-0x000000001B5F0000-0x000000001B8FE000-memory.dmp

Filesize
3.1MB

Download
memory/924-1157-0x00007FFA133F0000-0x00007FFA13D91000-memory.dmp

Filesize
9.6MB

Download
memory/924-1158-0x000000001BD90000-0x000000001BDD9000-memory.dmp

Filesize
292KB

Download
memory/924-1159-0x000000001BE50000-0x000000001BEB2000-memory.dmp

Filesize
392KB

Download
memory/924-1160-0x000000001C390000-0x000000001C85E000-memory.dmp

Filesize
4.8MB

Download
memory/924-1161-0x000000001C900000-0x000000001C99C000-memory.dmp

Filesize
624KB

Download
memory/924-1162-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/924-1163-0x000000001CCD0000-0x000000001CD0E000-memory.dmp

Filesize
248KB

Download
memory/924-1165-0x00007FFA133F0000-0x00007FFA13D91000-memory.dmp

Filesize
9.6MB

Download
memory/4120-1177-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1178-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1176-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1188-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1187-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1186-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1185-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1184-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1182-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download
memory/4120-1183-0x0000028B0F2E0000-0x0000028B0F2E1000-memory.dmp

Filesize
4KB

Download