79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2

Analysis

max time kernel
83s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
Size

1.9MB
MD5

2d75c455e4f2390c0337a79b3b36dd56
SHA1

56de862a7247cc9a8225c02195981eef8f6bf678
SHA256

79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2
SHA512

cfb04ad55fca10d20268267fe19f341c9e001729e960e6b49281a40e853ff4f440a1c2640706abe47b0e6f88f077153601c464bc8315b4dc8e0008ee6bd3d5ca
SSDEEP

49152:J5WzV7UpOOYICbk7mCgIVvOAybr5dKcsZ/F2T:PCV4pO+Cbk6qxO2V/

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1324	netsh.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ZERMMMDR945.txt	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
File created	C:\Windows\svchost.exe	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
File opened for modification	C:\Windows\svchost.exe	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2036	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 984	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	27
PID 1628 wrote to memory of 984	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	27
PID 1628 wrote to memory of 984	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	27
PID 1628 wrote to memory of 984	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	27
PID 1628 wrote to memory of 2036	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	29
PID 1628 wrote to memory of 2036	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	29
PID 1628 wrote to memory of 2036	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	29
PID 1628 wrote to memory of 2036	1628	79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe	29
PID 984 wrote to memory of 1324	984	cmd.exe	31
PID 984 wrote to memory of 1324	984	cmd.exe	31
PID 984 wrote to memory of 1324	984	cmd.exe	31
PID 984 wrote to memory of 1324	984	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe
"C:\Users\Admin\AppData\Local\Temp\79ef743d0ceb328f950cae8db224d1b82854168027c9dccb3dfdf114ffd312f2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1628
- C:\WINDOWS\SysWOW64\cmd.exe
  C:\WINDOWS\system32\cmd.exe /c "netsh firewall set opmode mode = disable"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode = disable
    3⤵
    - Modifies Windows Firewall
    PID:1324
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
  2⤵
  - Creates scheduled task(s)
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads