Analysis
-
max time kernel
95s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
infected (2)/1/Application.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
infected (2)/1/Application.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
infected (2)/2/Console.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
infected (2)/2/Console.exe
Resource
win10v2004-20230220-en
General
-
Target
infected (2)/2/Console.exe
-
Size
1.0MB
-
MD5
3aaf501f5a33c7b5457cdc9d876175e4
-
SHA1
984dd31cde0808a038ab7dda7c725589d9b93ccf
-
SHA256
f57a2410ce496f17befaf980e3d38156f6f3641b2daa546ac42fc5181c2cce89
-
SHA512
f8ad9a8d86aab7b0c3f3008f5ee2530bf5515fd1128882394add2ca66cbab073694fd5cae8ebc3927af493a103f523fdcde6672ff07bfa02f391d07e4e9c44c0
-
SSDEEP
24576:hjXTI+uEu0on2l+syXOCHAvJNMVqT5HjTEtkD9UQwZqF2nbJ:GZn2l+syXOCHAvXvTdEtaXw4F2nbJ
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1868 netsh.exe 216 netsh.exe 3760 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Console.exedescription pid process Token: SeShutdownPrivilege 1928 Console.exe Token: SeDebugPrivilege 1928 Console.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Console.exedescription pid process target process PID 1928 wrote to memory of 1868 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1868 1928 Console.exe netsh.exe PID 1928 wrote to memory of 1868 1928 Console.exe netsh.exe PID 1928 wrote to memory of 216 1928 Console.exe netsh.exe PID 1928 wrote to memory of 216 1928 Console.exe netsh.exe PID 1928 wrote to memory of 216 1928 Console.exe netsh.exe PID 1928 wrote to memory of 3760 1928 Console.exe netsh.exe PID 1928 wrote to memory of 3760 1928 Console.exe netsh.exe PID 1928 wrote to memory of 3760 1928 Console.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe"C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="AKConsoleProxy" program="C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AKConsoleProxy" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe" description=""2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AKConsoleProxy" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\infected (2)\2\Console.exe" description=""2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1928-133-0x0000000002810000-0x000000000286C000-memory.dmpFilesize
368KB
-
memory/1928-134-0x0000000002810000-0x000000000286C000-memory.dmpFilesize
368KB
-
memory/1928-135-0x0000000002810000-0x000000000286C000-memory.dmpFilesize
368KB
-
memory/1928-136-0x0000000002810000-0x000000000286C000-memory.dmpFilesize
368KB
-
memory/1928-138-0x0000000002810000-0x000000000286C000-memory.dmpFilesize
368KB