Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
02-07-2023 16:46
Behavioral task
behavioral1
Sample
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe
Resource
win7-20230621-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe
-
Size
31KB
-
MD5
11ac1b109edb30c424b20c617beb6916
-
SHA1
03ae0d139376f7e3b0d1ebb04f8db94aeb09ee36
-
SHA256
e3125350e7b146cdf13186e9445a7fbea6eb844ed6b2c1365de22111e3faa1e4
-
SHA512
d263fbf5eea1283506d3524a7d343ff60ca537cdf149a00017daa348aa2804e7f1d1016fee44f76d8b452638e3e76b214930dda41b8c5b9a65dc176bd219be72
-
SSDEEP
768:gmv4fqdzNB0zx/6LmzmnAXdvAFQmIDUu0tirLj:a6KjpAQVk+j
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4a09cd484fd6f470d5ada5572d6d011.exe E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4a09cd484fd6f470d5ada5572d6d011.exe E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4a09cd484fd6f470d5ada5572d6d011 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe\" .." E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c4a09cd484fd6f470d5ada5572d6d011 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe\" .." E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exedescription pid process Token: SeDebugPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: 33 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe Token: SeIncBasePriorityPrivilege 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exedescription pid process target process PID 1508 wrote to memory of 908 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe netsh.exe PID 1508 wrote to memory of 908 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe netsh.exe PID 1508 wrote to memory of 908 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe netsh.exe PID 1508 wrote to memory of 908 1508 E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe"C:\Users\Admin\AppData\Local\Temp\E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe" "E3125350E7B146CDF13186E9445A7FBEA6EB844ED6B2C.exe" ENABLE2⤵
- Modifies Windows Firewall