Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 00:22
Behavioral task
behavioral1
Sample
aa202ce0c8f108d0a633d5acfd5059c4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
aa202ce0c8f108d0a633d5acfd5059c4.exe
Resource
win10v2004-20231215-en
General
-
Target
aa202ce0c8f108d0a633d5acfd5059c4.exe
-
Size
23KB
-
MD5
aa202ce0c8f108d0a633d5acfd5059c4
-
SHA1
13262010d714b2eaf6e4a360543811285957e69c
-
SHA256
b21ad9fd00a171f448646277bf44b6ae551ec37d154acd6f73de6bd4566c0995
-
SHA512
78860014d6c7202ae49f05a71349170dbc711fdf8312b21dfe61a159b26f22783de7340c6fc1d812455730f71cbd86262415c6c4168f47219ca02de9da9d5c19
-
SSDEEP
384:0+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZSg:Dm+71d5XRpcnuU
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc42ff4b8c2f3659d94a8780ccc2575.exe aa202ce0c8f108d0a633d5acfd5059c4.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc42ff4b8c2f3659d94a8780ccc2575.exe aa202ce0c8f108d0a633d5acfd5059c4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6dc42ff4b8c2f3659d94a8780ccc2575 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aa202ce0c8f108d0a633d5acfd5059c4.exe\" .." aa202ce0c8f108d0a633d5acfd5059c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6dc42ff4b8c2f3659d94a8780ccc2575 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aa202ce0c8f108d0a633d5acfd5059c4.exe\" .." aa202ce0c8f108d0a633d5acfd5059c4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription pid process Token: SeDebugPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: 33 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe Token: SeIncBasePriorityPrivilege 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription pid process target process PID 2272 wrote to memory of 1572 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe netsh.exe PID 2272 wrote to memory of 1572 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe netsh.exe PID 2272 wrote to memory of 1572 2272 aa202ce0c8f108d0a633d5acfd5059c4.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa202ce0c8f108d0a633d5acfd5059c4.exe"C:\Users\Admin\AppData\Local\Temp\aa202ce0c8f108d0a633d5acfd5059c4.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\aa202ce0c8f108d0a633d5acfd5059c4.exe" "aa202ce0c8f108d0a633d5acfd5059c4.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2272-0-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2272-1-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2272-2-0x0000000000C50000-0x0000000000C60000-memory.dmpFilesize
64KB
-
memory/2272-4-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2272-5-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB