Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-08-2022 00:12
Behavioral task
behavioral1
Sample
121e18b2c5111707637ef2896cfb566c.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
121e18b2c5111707637ef2896cfb566c.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
121e18b2c5111707637ef2896cfb566c.exe
-
Size
37KB
-
MD5
121e18b2c5111707637ef2896cfb566c
-
SHA1
4f7f131ba7dc7e6bfe98c092b95fe891e50b0105
-
SHA256
52f4937c80ab5e677ef2a0a169632067a74f8b9eef4f4994e9f5a9f5e36c2b56
-
SHA512
7035f403662c6f01a4f1475c929888aff82650e2328ce45cd916dbfef7b53542ca5b402f20e189f8afb9f7e8619c21d2dfe7b173872da6965bc7dea86ebfc616
-
SSDEEP
384:u8Os0IiejvCVLO309QmykrtG+dA+VfwvOSifrAF+rMRTyN/0L+EcoinblneHQM3T:GFdGdkrgYRwWS0rM+rMRa8NuHYt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c60029bc13b6f6bd71b31a478dff99d5.exe 121e18b2c5111707637ef2896cfb566c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c60029bc13b6f6bd71b31a478dff99d5.exe 121e18b2c5111707637ef2896cfb566c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\c60029bc13b6f6bd71b31a478dff99d5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\121e18b2c5111707637ef2896cfb566c.exe\" .." 121e18b2c5111707637ef2896cfb566c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c60029bc13b6f6bd71b31a478dff99d5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\121e18b2c5111707637ef2896cfb566c.exe\" .." 121e18b2c5111707637ef2896cfb566c.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription pid process Token: SeDebugPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe Token: 33 2000 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 2000 121e18b2c5111707637ef2896cfb566c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription pid process target process PID 2000 wrote to memory of 1240 2000 121e18b2c5111707637ef2896cfb566c.exe netsh.exe PID 2000 wrote to memory of 1240 2000 121e18b2c5111707637ef2896cfb566c.exe netsh.exe PID 2000 wrote to memory of 1240 2000 121e18b2c5111707637ef2896cfb566c.exe netsh.exe PID 2000 wrote to memory of 1240 2000 121e18b2c5111707637ef2896cfb566c.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe"C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe" "121e18b2c5111707637ef2896cfb566c.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1240-56-0x0000000000000000-mapping.dmp
-
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/2000-55-0x00000000743D0000-0x000000007497B000-memory.dmpFilesize
5.7MB
-
memory/2000-58-0x00000000743D0000-0x000000007497B000-memory.dmpFilesize
5.7MB