Analysis
-
max time kernel
142s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:46
Static task
static1
Behavioral task
behavioral1
Sample
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe
Resource
win10v2004-20220901-en
General
-
Target
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe
-
Size
114KB
-
MD5
7583749fdc248fa02181f92fff511229
-
SHA1
8fd8a257c5f9d3b1efa153fd29074fe0408ac33b
-
SHA256
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31
-
SHA512
7f30f80109325f73e7fcf19114a97fa2d2dfa9c01fa5a94a6289dfdff9f3b1231195a2dbbd5557c5eff2f4c68ccd4978aa05b1df1b6f4509c9786b55b1d5ebca
-
SSDEEP
3072:e3m/d2UIagDojIxXR92PUsDVRqp1aW0CUCQxYDbHjLr:z2jaao0QnCoY3/r
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
Processes:
services.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile services.exe -
Modifies security service 2 TTPs 26 IoCs
Processes:
services.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ErrorControl = "0" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Type = "32" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32" services.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 564 cmd.exe -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 -
Drops desktop.ini file(s) 2 IoCs
Processes:
services.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini services.exe File created \systemroot\assembly\GAC_32\Desktop.ini services.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exedescription pid process target process PID 1648 set thread context of 564 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exedescription ioc process File created C:\Windows\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@ f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exeservices.exepid process 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe 460 services.exe 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exeservices.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe Token: SeDebugPrivilege 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe Token: SeDebugPrivilege 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe Token: SeDebugPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeBackupPrivilege 460 services.exe Token: SeRestorePrivilege 460 services.exe Token: SeSecurityPrivilege 460 services.exe Token: SeTakeOwnershipPrivilege 460 services.exe Token: SeShutdownPrivilege 1244 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exedescription pid process target process PID 1648 wrote to memory of 1244 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe Explorer.EXE PID 1648 wrote to memory of 460 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe services.exe PID 1648 wrote to memory of 564 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe cmd.exe PID 1648 wrote to memory of 564 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe cmd.exe PID 1648 wrote to memory of 564 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe cmd.exe PID 1648 wrote to memory of 564 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe cmd.exe PID 1648 wrote to memory of 564 1648 f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe cmd.exe
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Modifies firewall policy service
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe"C:\Users\Admin\AppData\Local\Temp\f4bd7ad1e9e28aa4bfebbdf33065e75fde5519f515c70a4387a7f670a1de1c31.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\systemroot\Installer\{8c508dde-2ce9-92e3-5b79-435a5d2d0943}\@Filesize
2KB
MD5df34aaeb1c6624dcb4d1d96c069aac80
SHA1534ba0909c06204000f381589f8dae494cf6541b
SHA2561168ce5df5d2ad309bb33f96b49433fee3bb3784c56975b1e902326c3d430ec3
SHA5127e72dfea34b6ebff34286cb67630a8068b1a262210a2baed98a4747dc780d077dfbe77a6a7aa0c97976fd59fb465d6f867e9b4a77271f0e68c68314df5985aab
-
memory/460-54-0x0000000000080000-0x000000000008F000-memory.dmpFilesize
60KB
-
memory/460-58-0x0000000000080000-0x000000000008F000-memory.dmpFilesize
60KB
-
memory/460-62-0x0000000000080000-0x000000000008F000-memory.dmpFilesize
60KB
-
memory/460-64-0x0000000000070000-0x000000000007B000-memory.dmpFilesize
44KB
-
memory/460-65-0x0000000000090000-0x000000000009F000-memory.dmpFilesize
60KB
-
memory/460-66-0x0000000000070000-0x000000000007B000-memory.dmpFilesize
44KB
-
memory/460-67-0x0000000000090000-0x000000000009F000-memory.dmpFilesize
60KB
-
memory/564-68-0x0000000000000000-mapping.dmp