netfilter | 659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9

Analysis

Target

659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe
Size

9KB
MD5

83720e64aa1388d55324a22536bd39cd
SHA1

8fa3636a7697f953d7daa02a313981b9e3bc98e4
SHA256

659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9
SHA512

0ab402911cdefceb9a6ade0b968b10c628fed6da17097b8cd943f76527078a597425c8d0845bb86f0318ee1967dd3f43aa951f822b79933da475eb1ace70922d

Score

10^/10

NetFilter
NetFilter is a rootkit first seen in June 2021.
rootkit netfilter
Downloads MZ/PE file
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe

pid process

3016 659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe

description pid process

Token: SeLoadDriverPrivilege 3016 659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe

pid	process
3016	659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe

description	pid	process
Token: SeLoadDriverPrivilege	3016	659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe

description	pid	process	target process
PID 3016 wrote to memory of 1516	3016	659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe	regini.exe
PID 3016 wrote to memory of 1516	3016	659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe	regini.exe
PID 3016 wrote to memory of 1516	3016	659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe	regini.exe

C:\Users\Admin\AppData\Local\Temp\659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe
"C:\Users\Admin\AppData\Local\Temp\659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.bin.exe"
1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\regini.exe
  "C:\Windows\System32\regini.exe" c.xalm
  2⤵
  PID:1516

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\c.xalm

MD5
e4a1a575a3c19abc5ff8fd9f3fece159

SHA1
d15d4c436faeb642871c33932da2f31e265d200c

SHA256
60c77aa3a588cb9c807d934f0352fbedc9e64046a972f1ad9fdbf229c9158a26

SHA512
23f01e80234f19ce071646b978646279bc1d8f883248c405e2e10ac75d8f67fc08d4109fc87a7021ccec3ae083c53e78c62045383d25622115cd05b0e6972fff

Download Submit
memory/1516-114-0x0000000000000000-mapping.dmp

Download