Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 18:16
Behavioral task
behavioral1
Sample
09a039699d3c2b826e5e2f8ad90f50fc.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
09a039699d3c2b826e5e2f8ad90f50fc.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
09a039699d3c2b826e5e2f8ad90f50fc.exe
-
Size
37KB
-
MD5
09a039699d3c2b826e5e2f8ad90f50fc
-
SHA1
158c98ba265e4829c203771eb566d607c5ab0f72
-
SHA256
6c3183412fc318d586ba196d42f9399ecc84500d4624377752b4952442236093
-
SHA512
a17c7e95fd27806da95776a81fe864e8050cbbaeb9d937ddbf2ef6dd38c88dfab5017df6706e9c1e74b51ff9ebdad22a9e78b21dcf6d8351dbba1a9c6df1d547
-
SSDEEP
384:/0qBkiyjnDNGRn5IyUvapIrPbh+/VsIt6xrAF+rMRTyN/0L+EcoinblneHQM3epD:M35M5jUvairANsIQxrM+rMRa8Nuu0t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
09a039699d3c2b826e5e2f8ad90f50fc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\477e42ad55ebd15287499bd5aac86f08 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\09a039699d3c2b826e5e2f8ad90f50fc.exe\" .." 09a039699d3c2b826e5e2f8ad90f50fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\477e42ad55ebd15287499bd5aac86f08 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\09a039699d3c2b826e5e2f8ad90f50fc.exe\" .." 09a039699d3c2b826e5e2f8ad90f50fc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
09a039699d3c2b826e5e2f8ad90f50fc.exedescription pid process Token: SeDebugPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
09a039699d3c2b826e5e2f8ad90f50fc.exedescription pid process target process PID 1668 wrote to memory of 1716 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe PID 1668 wrote to memory of 1716 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe PID 1668 wrote to memory of 1716 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe PID 1668 wrote to memory of 1716 1668 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a039699d3c2b826e5e2f8ad90f50fc.exe"C:\Users\Admin\AppData\Local\Temp\09a039699d3c2b826e5e2f8ad90f50fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\09a039699d3c2b826e5e2f8ad90f50fc.exe" "09a039699d3c2b826e5e2f8ad90f50fc.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-54-0x0000000000910000-0x0000000000950000-memory.dmpFilesize
256KB