Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 18:16
Behavioral task
behavioral1
Sample
09a039699d3c2b826e5e2f8ad90f50fc.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
09a039699d3c2b826e5e2f8ad90f50fc.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
09a039699d3c2b826e5e2f8ad90f50fc.exe
-
Size
37KB
-
MD5
09a039699d3c2b826e5e2f8ad90f50fc
-
SHA1
158c98ba265e4829c203771eb566d607c5ab0f72
-
SHA256
6c3183412fc318d586ba196d42f9399ecc84500d4624377752b4952442236093
-
SHA512
a17c7e95fd27806da95776a81fe864e8050cbbaeb9d937ddbf2ef6dd38c88dfab5017df6706e9c1e74b51ff9ebdad22a9e78b21dcf6d8351dbba1a9c6df1d547
-
SSDEEP
384:/0qBkiyjnDNGRn5IyUvapIrPbh+/VsIt6xrAF+rMRTyN/0L+EcoinblneHQM3epD:M35M5jUvairANsIQxrM+rMRa8Nuu0t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
09a039699d3c2b826e5e2f8ad90f50fc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\477e42ad55ebd15287499bd5aac86f08 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\09a039699d3c2b826e5e2f8ad90f50fc.exe\" .." 09a039699d3c2b826e5e2f8ad90f50fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\477e42ad55ebd15287499bd5aac86f08 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\09a039699d3c2b826e5e2f8ad90f50fc.exe\" .." 09a039699d3c2b826e5e2f8ad90f50fc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
09a039699d3c2b826e5e2f8ad90f50fc.exedescription pid process Token: SeDebugPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: 33 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe Token: SeIncBasePriorityPrivilege 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
09a039699d3c2b826e5e2f8ad90f50fc.exedescription pid process target process PID 1912 wrote to memory of 4244 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe PID 1912 wrote to memory of 4244 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe PID 1912 wrote to memory of 4244 1912 09a039699d3c2b826e5e2f8ad90f50fc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a039699d3c2b826e5e2f8ad90f50fc.exe"C:\Users\Admin\AppData\Local\Temp\09a039699d3c2b826e5e2f8ad90f50fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\09a039699d3c2b826e5e2f8ad90f50fc.exe" "09a039699d3c2b826e5e2f8ad90f50fc.exe" ENABLE2⤵
- Modifies Windows Firewall