Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/11/2023, 22:40
Behavioral task
behavioral1
Sample
0x000a000000012025-3.exe
Resource
win7-20231020-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
0x000a000000012025-3.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
0x000a000000012025-3.exe
-
Size
37KB
-
MD5
35727b79d04ec3ec0733ed94e6021fb7
-
SHA1
883975332aa2520557fd7432a4be478544fa1926
-
SHA256
6a2fb9232ed317a5f3864baf7b7f58a8ba042ecc46486a986e10ce9f4625efab
-
SHA512
d1c0b8824cc0aae115f3b7fbf91428c62a46e2a171d0271b8391227a409ac2fbcc270b144dba7219314007e8b64d16320b8e4c74db3b8f738e3bdc1f2bc9a277
-
SSDEEP
384:k0SvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzXY:fS7TZ38fvCv3E1c1rM+rMRa8Nu72t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2644 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8930bbff6fce9b7599f208ceade24fb.exe 0x000a000000012025-3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8930bbff6fce9b7599f208ceade24fb.exe 0x000a000000012025-3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\a8930bbff6fce9b7599f208ceade24fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0x000a000000012025-3.exe\" .." 0x000a000000012025-3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a8930bbff6fce9b7599f208ceade24fb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0x000a000000012025-3.exe\" .." 0x000a000000012025-3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0x000a000000012025-3.exe File created D:\autorun.inf 0x000a000000012025-3.exe File created F:\autorun.inf 0x000a000000012025-3.exe File opened for modification F:\autorun.inf 0x000a000000012025-3.exe File created C:\autorun.inf 0x000a000000012025-3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe 2224 0x000a000000012025-3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2224 0x000a000000012025-3.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe Token: 33 2224 0x000a000000012025-3.exe Token: SeIncBasePriorityPrivilege 2224 0x000a000000012025-3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2644 2224 0x000a000000012025-3.exe 28 PID 2224 wrote to memory of 2644 2224 0x000a000000012025-3.exe 28 PID 2224 wrote to memory of 2644 2224 0x000a000000012025-3.exe 28 PID 2224 wrote to memory of 2644 2224 0x000a000000012025-3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a000000012025-3.exe"C:\Users\Admin\AppData\Local\Temp\0x000a000000012025-3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0x000a000000012025-3.exe" "0x000a000000012025-3.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD535727b79d04ec3ec0733ed94e6021fb7
SHA1883975332aa2520557fd7432a4be478544fa1926
SHA2566a2fb9232ed317a5f3864baf7b7f58a8ba042ecc46486a986e10ce9f4625efab
SHA512d1c0b8824cc0aae115f3b7fbf91428c62a46e2a171d0271b8391227a409ac2fbcc270b144dba7219314007e8b64d16320b8e4c74db3b8f738e3bdc1f2bc9a277