netfilter | 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89

Analysis

Target

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
Size

564KB
MD5

145e3c224e4ecaf26d4638efb9d622a7
SHA1

70d5b0be6ed51e43c0a19b773cead8793257bbc1
SHA256

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89
SHA512

f6a45167238bff44410c528fdeaf417cb6fd5a563bb61fb6febd76a26f427657f4f93175cac25a09784029818190645fb9d40f7ce781329a2eda7ae669f3d822

Score

10^/10

NetFilter
NetFilter is a rootkit first seen in June 2021.
rootkit netfilter
Downloads MZ/PE file
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

pid process

1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

description pid process

Token: SeLoadDriverPrivilege 1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

pid	process
1908	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

description	pid	process
Token: SeLoadDriverPrivilege	1908	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

description	pid	process	target process
PID 1908 wrote to memory of 960	1908	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe	regini.exe
PID 1908 wrote to memory of 960	1908	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe	regini.exe
PID 1908 wrote to memory of 960	1908	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe	regini.exe

C:\Users\Admin\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
"C:\Users\Admin\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe"
1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\regini.exe
  "C:\Windows\System32\regini.exe" configure.xalm
  2⤵
  PID:960

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\configure.xalm

MD5
e4a1a575a3c19abc5ff8fd9f3fece159

SHA1
d15d4c436faeb642871c33932da2f31e265d200c

SHA256
60c77aa3a588cb9c807d934f0352fbedc9e64046a972f1ad9fdbf229c9158a26

SHA512
23f01e80234f19ce071646b978646279bc1d8f883248c405e2e10ac75d8f67fc08d4109fc87a7021ccec3ae083c53e78c62045383d25622115cd05b0e6972fff

Download Submit
memory/960-114-0x0000000000000000-mapping.dmp

Download