Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2023 19:41

General

  • Target

    017fa7a20c92152e2a5533f75f090469.exe

  • Size

    93KB

  • MD5

    017fa7a20c92152e2a5533f75f090469

  • SHA1

    7ea751d6b4f9f03e4f23603103edc4ccfdebbfdc

  • SHA256

    bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94

  • SHA512

    6d330633b96af51187c362c280e00d3a0a199bf4ff5f21dfddd591dbffafd18b9e0fb5154dffbae0c94790addc62763c872ce10c7ae93a4cdf73e1b26d303ba5

  • SSDEEP

    1536:TewOQIBlfGQFk2ZonmzaMxjEwzGi1dDsD1gS:TewMtFk2ZonmuMOi1dSC

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 1 TTPs 3 IoCs
  • Drops startup file 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe
    "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe" "017fa7a20c92152e2a5533f75f090469.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:3188
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe" "017fa7a20c92152e2a5533f75f090469.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:768
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"
      2⤵
      • Modifies Windows Firewall
      PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
    Filesize

    93KB

    MD5

    017fa7a20c92152e2a5533f75f090469

    SHA1

    7ea751d6b4f9f03e4f23603103edc4ccfdebbfdc

    SHA256

    bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94

    SHA512

    6d330633b96af51187c362c280e00d3a0a199bf4ff5f21dfddd591dbffafd18b9e0fb5154dffbae0c94790addc62763c872ce10c7ae93a4cdf73e1b26d303ba5

  • memory/1520-0-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB

  • memory/1520-1-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB

  • memory/1520-2-0x0000000000930000-0x0000000000940000-memory.dmp
    Filesize

    64KB

  • memory/1520-19-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB

  • memory/1520-20-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB