Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-04-2023 01:58
Behavioral task
behavioral1
Sample
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Resource
win10v2004-20230220-en
General
-
Target
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
-
Size
37KB
-
MD5
a8d353fe68c4d8129cad19385b04bf94
-
SHA1
3bfa6c3c2ee96f829c8baf625fff8f7a5c2c5fbd
-
SHA256
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc
-
SHA512
39fbdc2ef9204564625600ed58d14090f3463576ce7bfce82117a98bf268bd169d9cf287cf5b779856a6075ba93b6932ef547d6b3bf3f8e261192762dc539772
-
SSDEEP
384:vuoPVSikmD0NVtv/Vey0bEGfF8s+yvErAF+rMRTyN/0L+EcoinblneHQM3epzXJn:m4HO1VV0bEGmVycrM+rMRa8Nuf9t
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1bc01589947839912291841e607b317.exe 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1bc01589947839912291841e607b317.exe 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1bc01589947839912291841e607b317 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe\" .." 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e1bc01589947839912291841e607b317 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe\" .." 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exedescription ioc process File created C:\autorun.inf 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe File opened for modification C:\autorun.inf 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe File created D:\autorun.inf 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exepid process 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exepid process 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exedescription pid process Token: SeDebugPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: 33 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe Token: SeIncBasePriorityPrivilege 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exedescription pid process target process PID 1712 wrote to memory of 916 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe netsh.exe PID 1712 wrote to memory of 916 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe netsh.exe PID 1712 wrote to memory of 916 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe netsh.exe PID 1712 wrote to memory of 916 1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe"C:\Users\Admin\AppData\Local\Temp\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe" "25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe" ENABLE2⤵
- Modifies Windows Firewall