Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
infected (2)/1/Application.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
infected (2)/1/Application.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
infected (2)/2/Console.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
infected (2)/2/Console.exe
Resource
win10v2004-20230220-en
General
-
Target
infected (2)/2/Console.exe
-
Size
1.0MB
-
MD5
3aaf501f5a33c7b5457cdc9d876175e4
-
SHA1
984dd31cde0808a038ab7dda7c725589d9b93ccf
-
SHA256
f57a2410ce496f17befaf980e3d38156f6f3641b2daa546ac42fc5181c2cce89
-
SHA512
f8ad9a8d86aab7b0c3f3008f5ee2530bf5515fd1128882394add2ca66cbab073694fd5cae8ebc3927af493a103f523fdcde6672ff07bfa02f391d07e4e9c44c0
-
SSDEEP
24576:hjXTI+uEu0on2l+syXOCHAvJNMVqT5HjTEtkD9UQwZqF2nbJ:GZn2l+syXOCHAvXvTdEtaXw4F2nbJ
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1220 netsh.exe 1564 netsh.exe 688 netsh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1432 1928 WerFault.exe Console.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Console.exedescription pid process target process PID 1928 wrote to memory of 1220 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1220 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1220 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1220 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1564 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1564 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1564 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1564 1928 Console.exe netsh.exe PID 1928 wrote to memory of 688 1928 Console.exe netsh.exe PID 1928 wrote to memory of 688 1928 Console.exe netsh.exe PID 1928 wrote to memory of 688 1928 Console.exe netsh.exe PID 1928 wrote to memory of 688 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1432 1928 Console.exe WerFault.exe PID 1928 wrote to memory of 1432 1928 Console.exe WerFault.exe PID 1928 wrote to memory of 1432 1928 Console.exe WerFault.exe PID 1928 wrote to memory of 1432 1928 Console.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe"C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="AKConsoleProxy" program="C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AKConsoleProxy" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe" description=""2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AKConsoleProxy" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe" description=""2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1962⤵
- Program crash