Analysis
-
max time kernel
9s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2023 02:45
Behavioral task
behavioral1
Sample
aa202ce0c8f108d0a633d5acfd5059c4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
aa202ce0c8f108d0a633d5acfd5059c4.exe
Resource
win10v2004-20231215-en
General
-
Target
aa202ce0c8f108d0a633d5acfd5059c4.exe
-
Size
23KB
-
MD5
aa202ce0c8f108d0a633d5acfd5059c4
-
SHA1
13262010d714b2eaf6e4a360543811285957e69c
-
SHA256
b21ad9fd00a171f448646277bf44b6ae551ec37d154acd6f73de6bd4566c0995
-
SHA512
78860014d6c7202ae49f05a71349170dbc711fdf8312b21dfe61a159b26f22783de7340c6fc1d812455730f71cbd86262415c6c4168f47219ca02de9da9d5c19
-
SSDEEP
384:0+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZSg:Dm+71d5XRpcnuU
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc42ff4b8c2f3659d94a8780ccc2575.exe aa202ce0c8f108d0a633d5acfd5059c4.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc42ff4b8c2f3659d94a8780ccc2575.exe aa202ce0c8f108d0a633d5acfd5059c4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6dc42ff4b8c2f3659d94a8780ccc2575 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aa202ce0c8f108d0a633d5acfd5059c4.exe\" .." aa202ce0c8f108d0a633d5acfd5059c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6dc42ff4b8c2f3659d94a8780ccc2575 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aa202ce0c8f108d0a633d5acfd5059c4.exe\" .." aa202ce0c8f108d0a633d5acfd5059c4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aa202ce0c8f108d0a633d5acfd5059c4.exedescription pid process target process PID 2820 wrote to memory of 3652 2820 aa202ce0c8f108d0a633d5acfd5059c4.exe netsh.exe PID 2820 wrote to memory of 3652 2820 aa202ce0c8f108d0a633d5acfd5059c4.exe netsh.exe PID 2820 wrote to memory of 3652 2820 aa202ce0c8f108d0a633d5acfd5059c4.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa202ce0c8f108d0a633d5acfd5059c4.exe"C:\Users\Admin\AppData\Local\Temp\aa202ce0c8f108d0a633d5acfd5059c4.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\aa202ce0c8f108d0a633d5acfd5059c4.exe" "aa202ce0c8f108d0a633d5acfd5059c4.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2820-1-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/2820-2-0x0000000001230000-0x0000000001240000-memory.dmpFilesize
64KB
-
memory/2820-0-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/2820-4-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/2820-5-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/2820-6-0x0000000001230000-0x0000000001240000-memory.dmpFilesize
64KB