Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
12-08-2022 01:06
Behavioral task
behavioral1
Sample
11820b9031e1a4100acb4e0d3a7549c0.exe
Resource
win7-20220718-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
11820b9031e1a4100acb4e0d3a7549c0.exe
Resource
win10v2004-20220721-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
11820b9031e1a4100acb4e0d3a7549c0.exe
-
Size
37KB
-
MD5
11820b9031e1a4100acb4e0d3a7549c0
-
SHA1
67b0d0fc95387f19439e4927723678ccb435e25a
-
SHA256
e7aae5f5dff1dfaace5aa89edd80cbc921a324ce8492de922f46178aa4432e36
-
SHA512
8b43954a0857870ec404a309cfa062a1a324af2ecc2529d810c7eaef888449f1462c2cc93fb738762b81e10835bdbe0f8ff33149c6cc96b521431be8ccef5e8d
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
11820b9031e1a4100acb4e0d3a7549c0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a3742eaaf27c5324d5510354d9aa6cf3.exe 11820b9031e1a4100acb4e0d3a7549c0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a3742eaaf27c5324d5510354d9aa6cf3.exe 11820b9031e1a4100acb4e0d3a7549c0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
11820b9031e1a4100acb4e0d3a7549c0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\a3742eaaf27c5324d5510354d9aa6cf3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\11820b9031e1a4100acb4e0d3a7549c0.exe\" .." 11820b9031e1a4100acb4e0d3a7549c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a3742eaaf27c5324d5510354d9aa6cf3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\11820b9031e1a4100acb4e0d3a7549c0.exe\" .." 11820b9031e1a4100acb4e0d3a7549c0.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
11820b9031e1a4100acb4e0d3a7549c0.exedescription ioc process File created C:\autorun.inf 11820b9031e1a4100acb4e0d3a7549c0.exe File opened for modification C:\autorun.inf 11820b9031e1a4100acb4e0d3a7549c0.exe File created D:\autorun.inf 11820b9031e1a4100acb4e0d3a7549c0.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
11820b9031e1a4100acb4e0d3a7549c0.exedescription pid process Token: SeDebugPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: 33 1180 11820b9031e1a4100acb4e0d3a7549c0.exe Token: SeIncBasePriorityPrivilege 1180 11820b9031e1a4100acb4e0d3a7549c0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
11820b9031e1a4100acb4e0d3a7549c0.exedescription pid process target process PID 1180 wrote to memory of 2036 1180 11820b9031e1a4100acb4e0d3a7549c0.exe netsh.exe PID 1180 wrote to memory of 2036 1180 11820b9031e1a4100acb4e0d3a7549c0.exe netsh.exe PID 1180 wrote to memory of 2036 1180 11820b9031e1a4100acb4e0d3a7549c0.exe netsh.exe PID 1180 wrote to memory of 2036 1180 11820b9031e1a4100acb4e0d3a7549c0.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11820b9031e1a4100acb4e0d3a7549c0.exe"C:\Users\Admin\AppData\Local\Temp\11820b9031e1a4100acb4e0d3a7549c0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\11820b9031e1a4100acb4e0d3a7549c0.exe" "11820b9031e1a4100acb4e0d3a7549c0.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-54-0x0000000075481000-0x0000000075483000-memory.dmpFilesize
8KB
-
memory/1180-55-0x00000000746C0000-0x0000000074C6B000-memory.dmpFilesize
5.7MB
-
memory/1180-58-0x00000000746C0000-0x0000000074C6B000-memory.dmpFilesize
5.7MB
-
memory/2036-56-0x0000000000000000-mapping.dmp