Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23-08-2023 19:43
Behavioral task
behavioral1
Sample
017fa7a20c92152e2a5533f75f090469.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
017fa7a20c92152e2a5533f75f090469.exe
Resource
win10v2004-20230703-en
General
-
Target
017fa7a20c92152e2a5533f75f090469.exe
-
Size
93KB
-
MD5
017fa7a20c92152e2a5533f75f090469
-
SHA1
7ea751d6b4f9f03e4f23603103edc4ccfdebbfdc
-
SHA256
bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94
-
SHA512
6d330633b96af51187c362c280e00d3a0a199bf4ff5f21dfddd591dbffafd18b9e0fb5154dffbae0c94790addc62763c872ce10c7ae93a4cdf73e1b26d303ba5
-
SSDEEP
1536:TewOQIBlfGQFk2ZonmzaMxjEwzGi1dDsD1gS:TewMtFk2ZonmuMOi1dSC
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2840 netsh.exe 2124 netsh.exe 2808 netsh.exe -
Drops startup file 6 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 017fa7a20c92152e2a5533f75f090469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 017fa7a20c92152e2a5533f75f090469.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03c49c7f7bdfd684069ba84c510171c9Steam.exe 017fa7a20c92152e2a5533f75f090469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03c49c7f7bdfd684069ba84c510171c9Steam.exe 017fa7a20c92152e2a5533f75f090469.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe 017fa7a20c92152e2a5533f75f090469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe 017fa7a20c92152e2a5533f75f090469.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Explower.exe 017fa7a20c92152e2a5533f75f090469.exe File created C:\Windows\SysWOW64\Explower.exe 017fa7a20c92152e2a5533f75f090469.exe -
Drops file in Program Files directory 2 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exedescription ioc process File created C:\Program Files (x86)\Explower.exe 017fa7a20c92152e2a5533f75f090469.exe File opened for modification C:\Program Files (x86)\Explower.exe 017fa7a20c92152e2a5533f75f090469.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exepid process 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe 1496 017fa7a20c92152e2a5533f75f090469.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exepid process 1496 017fa7a20c92152e2a5533f75f090469.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exedescription pid process Token: SeDebugPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe Token: 33 1496 017fa7a20c92152e2a5533f75f090469.exe Token: SeIncBasePriorityPrivilege 1496 017fa7a20c92152e2a5533f75f090469.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
017fa7a20c92152e2a5533f75f090469.exedescription pid process target process PID 1496 wrote to memory of 2840 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2840 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2840 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2840 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2124 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2124 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2124 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2124 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2808 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2808 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2808 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe PID 1496 wrote to memory of 2808 1496 017fa7a20c92152e2a5533f75f090469.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe" "017fa7a20c92152e2a5533f75f090469.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe" "017fa7a20c92152e2a5533f75f090469.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Explower.exeFilesize
93KB
MD5017fa7a20c92152e2a5533f75f090469
SHA17ea751d6b4f9f03e4f23603103edc4ccfdebbfdc
SHA256bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94
SHA5126d330633b96af51187c362c280e00d3a0a199bf4ff5f21dfddd591dbffafd18b9e0fb5154dffbae0c94790addc62763c872ce10c7ae93a4cdf73e1b26d303ba5
-
memory/1496-0-0x0000000074F40000-0x00000000754EB000-memory.dmpFilesize
5.7MB
-
memory/1496-2-0x0000000000AA0000-0x0000000000AE0000-memory.dmpFilesize
256KB
-
memory/1496-1-0x0000000074F40000-0x00000000754EB000-memory.dmpFilesize
5.7MB
-
memory/1496-19-0x0000000074F40000-0x00000000754EB000-memory.dmpFilesize
5.7MB
-
memory/1496-20-0x0000000074F40000-0x00000000754EB000-memory.dmpFilesize
5.7MB
-
memory/1496-21-0x0000000000AA0000-0x0000000000AE0000-memory.dmpFilesize
256KB