Analysis
-
max time kernel
143s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
Resource
win10v2004-20220812-en
General
-
Target
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe
-
Size
170KB
-
MD5
dda8981aee97a3408462bc92458aed39
-
SHA1
1efdfbde1119d532d6e7fb33b82c19d89b9486f4
-
SHA256
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9
-
SHA512
bc6ffcf55424e3694822383885a3848ccf1cfbd83dfe747692fbdbdf5898988a1822be1f0edae01eefc3aece34392c41df21b202c2d1e4c763e64bd87055a2f3
-
SSDEEP
3072:2O+0vRk64ySxQytIlLGgl74TS+uoyNVfsh/yLtcsOFJFwAqUFIe9W3wZ219V3BGJ:XVvRuyIuRGg5Kuo6shvsOFJFwd4QwZEE
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
Processes:
services.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices services.exe -
Modifies security service 2 TTPs 24 IoCs
Processes:
services.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap services.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\\n." a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 -
Drops desktop.ini file(s) 2 IoCs
Processes:
services.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini services.exe File created \systemroot\assembly\GAC_32\Desktop.ini services.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exedescription pid process target process PID 2036 set thread context of 1528 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exedescription ioc process File created C:\Windows\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@ a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe File created C:\Windows\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\n a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe -
Modifies registry class 5 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\clsid a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\\n." a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exeservices.exepid process 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe 460 services.exe 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exeservices.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Token: SeDebugPrivilege 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Token: SeDebugPrivilege 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Token: SeDebugPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeShutdownPrivilege 1272 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exedescription pid process target process PID 2036 wrote to memory of 1272 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Explorer.EXE PID 2036 wrote to memory of 1272 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe Explorer.EXE PID 2036 wrote to memory of 460 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe services.exe PID 2036 wrote to memory of 1528 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe cmd.exe PID 2036 wrote to memory of 1528 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe cmd.exe PID 2036 wrote to memory of 1528 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe cmd.exe PID 2036 wrote to memory of 1528 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe cmd.exe PID 2036 wrote to memory of 1528 2036 a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe cmd.exe
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Modifies firewall policy service
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe"C:\Users\Admin\AppData\Local\Temp\a3fd9eac179dfe5f96cd4466c9ff1c0914f30a660b08fd91065e0b0cd68a4de9.exe"2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\systemroot\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@Filesize
2KB
MD56d740b93fad9f41b807f314fd6a33f35
SHA1b43fa116b5da12d6a168d0bf17eb6fe0268f5bce
SHA256d2a706a126e88da8f4ac52b9a501599398f4ebb2e666fcc4130d8e579a123503
SHA5125ac1acad2bba4d784b34c57fd803446620a291a85279f8a4d5a8365e23bb349d3a442542fbb79e6d822ec95546fd263c6347532c39ac9c6683ffc1501f1d6b91
-
memory/460-78-0x00000000001A0000-0x00000000001AF000-memory.dmpFilesize
60KB
-
memory/460-83-0x00000000001B0000-0x00000000001BF000-memory.dmpFilesize
60KB
-
memory/460-82-0x0000000000190000-0x000000000019C000-memory.dmpFilesize
48KB
-
memory/460-79-0x0000000000190000-0x000000000019C000-memory.dmpFilesize
48KB
-
memory/460-80-0x00000000001B0000-0x00000000001BF000-memory.dmpFilesize
60KB
-
memory/460-74-0x00000000001A0000-0x00000000001AF000-memory.dmpFilesize
60KB
-
memory/1272-61-0x0000000002B10000-0x0000000002B1F000-memory.dmpFilesize
60KB
-
memory/1272-69-0x0000000002AF0000-0x0000000002AFC000-memory.dmpFilesize
48KB
-
memory/1272-67-0x0000000002B20000-0x0000000002B2F000-memory.dmpFilesize
60KB
-
memory/1272-66-0x0000000002AF0000-0x0000000002AFC000-memory.dmpFilesize
48KB
-
memory/1272-57-0x0000000002B10000-0x0000000002B1F000-memory.dmpFilesize
60KB
-
memory/1272-65-0x0000000002B10000-0x0000000002B1F000-memory.dmpFilesize
60KB
-
memory/1528-84-0x0000000000000000-mapping.dmp
-
memory/2036-68-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2036-54-0x00000000002B0000-0x00000000002E6000-memory.dmpFilesize
216KB
-
memory/2036-55-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2036-56-0x00000000002B0000-0x00000000002E6000-memory.dmpFilesize
216KB
-
memory/2036-85-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB