24d8b33ffceaa0cee17a6258d39be1317672fc481c889822cf38963e3eb488c2

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decryp.exe
Size

18KB
MD5

0bddede8897d9d810f34d4eab1f6f07a
SHA1

b0b74c8a73699f93915154826ba8cfebe92c1dd4
SHA256

24d8b33ffceaa0cee17a6258d39be1317672fc481c889822cf38963e3eb488c2
SHA512

ae2e6cd9495b54c6fc9c4c27ece37bf0719bf42bd9c5bba4a29782f50d127d6a32461a405d9014b311e9de51d0ffc7c6001f9dbcdbbde94a92a2c51e661fe1fa
SSDEEP

384:3G1LKciD3h+fRSsBS9UpM8WefjHYc0wu:3G1LK1/sBS978/fTYc0wu

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 5 IoCs

evasion

Windows Service

T1543.003

pid	Process
2756	netsh.exe
2260	netsh.exe
2548	netsh.exe
2716	netsh.exe
2672	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2568	reg.exe
1844	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1328	3048	decryp.exe	29
PID 3048 wrote to memory of 1328	3048	decryp.exe	29
PID 3048 wrote to memory of 1328	3048	decryp.exe	29
PID 1328 wrote to memory of 2716	1328	cmd.exe	30
PID 1328 wrote to memory of 2716	1328	cmd.exe	30
PID 1328 wrote to memory of 2716	1328	cmd.exe	30
PID 1328 wrote to memory of 2672	1328	cmd.exe	32
PID 1328 wrote to memory of 2672	1328	cmd.exe	32
PID 1328 wrote to memory of 2672	1328	cmd.exe	32
PID 1328 wrote to memory of 2756	1328	cmd.exe	33
PID 1328 wrote to memory of 2756	1328	cmd.exe	33
PID 1328 wrote to memory of 2756	1328	cmd.exe	33
PID 1328 wrote to memory of 2260	1328	cmd.exe	34
PID 1328 wrote to memory of 2260	1328	cmd.exe	34
PID 1328 wrote to memory of 2260	1328	cmd.exe	34
PID 1328 wrote to memory of 2548	1328	cmd.exe	35
PID 1328 wrote to memory of 2548	1328	cmd.exe	35
PID 1328 wrote to memory of 2548	1328	cmd.exe	35
PID 1328 wrote to memory of 2660	1328	cmd.exe	36
PID 1328 wrote to memory of 2660	1328	cmd.exe	36
PID 1328 wrote to memory of 2660	1328	cmd.exe	36
PID 1328 wrote to memory of 2568	1328	cmd.exe	37
PID 1328 wrote to memory of 2568	1328	cmd.exe	37
PID 1328 wrote to memory of 2568	1328	cmd.exe	37
PID 1328 wrote to memory of 2752	1328	cmd.exe	38
PID 1328 wrote to memory of 2752	1328	cmd.exe	38
PID 1328 wrote to memory of 2752	1328	cmd.exe	38
PID 1328 wrote to memory of 1844	1328	cmd.exe	39
PID 1328 wrote to memory of 1844	1328	cmd.exe	39
PID 1328 wrote to memory of 1844	1328	cmd.exe	39
PID 1328 wrote to memory of 2516	1328	cmd.exe	40
PID 1328 wrote to memory of 2516	1328	cmd.exe	40
PID 1328 wrote to memory of 2516	1328	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\decryp.exe
"C:\Users\Admin\AppData\Local\Temp\decryp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:2716
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:2672
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:2756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:2260
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:2548
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
    3⤵
    PID:2660
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
    3⤵
    - Modifies registry key
    PID:2568
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
    3⤵
    PID:2752
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
    3⤵
    - Modifies registry key
    PID:1844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Remove-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-8-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2516-7-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-10-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2516-9-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-11-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-12-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-13-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2516-14-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-0-0x0000000001210000-0x000000000121A000-memory.dmp

Filesize
40KB

Download
memory/3048-1-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-2-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download