74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

Analysis

max time kernel
152s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
Size

120KB
MD5

812c7fc86d0f6213b42901e0900483e7
SHA1

09bfa3fe338cee7221857c347c4b4fea2f2eec49
SHA256

74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47
SHA512

36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2
SSDEEP

1536:ojqQukmLkY/vO74BzIAS/B9SQzebQcMxVOUrt8t+MYYogMi+67RG:oLhWkYZvSHbz4MNt8t+eogZ+6l

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4608	file.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4536	netsh.exe
4440	netsh.exe
3956	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPSystem = "C:\\Users\\Admin\\AppData\\Roaming\\file.exe"	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
Token: SeDebugPrivilege	216	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
Token: SeDebugPrivilege	4608	file.exe
Token: SeDebugPrivilege	4608	file.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4608	216	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	84
PID 216 wrote to memory of 4608	216	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	84
PID 216 wrote to memory of 4608	216	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	84
PID 4608 wrote to memory of 4536	4608	file.exe	85
PID 4608 wrote to memory of 4536	4608	file.exe	85
PID 4608 wrote to memory of 4536	4608	file.exe	85
PID 4608 wrote to memory of 4440	4608	file.exe	86
PID 4608 wrote to memory of 4440	4608	file.exe	86
PID 4608 wrote to memory of 4440	4608	file.exe	86
PID 4608 wrote to memory of 3956	4608	file.exe	87
PID 4608 wrote to memory of 3956	4608	file.exe	87
PID 4608 wrote to memory of 3956	4608	file.exe	87

C:\Users\Admin\AppData\Local\Temp\74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
"C:\Users\Admin\AppData\Local\Temp\74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Roaming\file.exe
  "C:\Users\Admin\AppData\Roaming\file.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule profile=any name=Win2y2
    3⤵
    - Modifies Windows Firewall
    PID:4536
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=out name=Win2y2 program="C:\Users\Admin\AppData\Roaming\file.exe"
    3⤵
    - Modifies Windows Firewall
    PID:4440
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=Win2y2 program="C:\Users\Admin\AppData\Roaming\file.exe"
    3⤵
    - Modifies Windows Firewall
    PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\file.exe

Filesize
120KB

MD5
812c7fc86d0f6213b42901e0900483e7

SHA1
09bfa3fe338cee7221857c347c4b4fea2f2eec49

SHA256
74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

SHA512
36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2

Download Submit
C:\Users\Admin\AppData\Roaming\file.exe

Filesize
120KB

MD5
812c7fc86d0f6213b42901e0900483e7

SHA1
09bfa3fe338cee7221857c347c4b4fea2f2eec49

SHA256
74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

SHA512
36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2

Download Submit