33a1587a5ab09de9236f32a161e95dc09c4bb2eeff94afe2823000609c3a0136

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e6962b5b9e1f1642cb80880b95ba72.exe
Size

132KB
MD5

00e6962b5b9e1f1642cb80880b95ba72
SHA1

c8d374c5f66aee572edbef80501c570d99451250
SHA256

33a1587a5ab09de9236f32a161e95dc09c4bb2eeff94afe2823000609c3a0136
SHA512

266c453df3da2bb584297722ec46ee7d97136ee94b8900ba2c178b1c9754399df3244107ae587e6fefc8495282e785f0a064051116d09214cf3cfb8eb941270e
SSDEEP

3072:GS+7biXjHT4opVSVJeCluU+ekLBjS4JE0Sgm43:X+7biXRkXtlEeYB80Sgf

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
912	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
384	ntfyapp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfyapp = "C:\\Windows\\ntfyapp.exe"	00e6962b5b9e1f1642cb80880b95ba72.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntfyapp.exe	00e6962b5b9e1f1642cb80880b95ba72.exe
File opened for modification	C:\Windows\ntfyapp.exe	00e6962b5b9e1f1642cb80880b95ba72.exe
File created	C:\Windows\ntfyapp.config	ntfyapp.exe
File opened for modification	C:\Windows\ntfyapp.config	ntfyapp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4112	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	90
PID 4868 wrote to memory of 4112	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	90
PID 4868 wrote to memory of 4112	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	90
PID 4868 wrote to memory of 1804	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	91
PID 4868 wrote to memory of 1804	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	91
PID 4868 wrote to memory of 1804	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	91
PID 4868 wrote to memory of 384	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	94
PID 4868 wrote to memory of 384	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	94
PID 4868 wrote to memory of 384	4868	00e6962b5b9e1f1642cb80880b95ba72.exe	94
PID 384 wrote to memory of 912	384	ntfyapp.exe	95
PID 384 wrote to memory of 912	384	ntfyapp.exe	95
PID 384 wrote to memory of 912	384	ntfyapp.exe	95
PID 1804 wrote to memory of 2488	1804	w32tm.exe	98
PID 1804 wrote to memory of 2488	1804	w32tm.exe	98
PID 4112 wrote to memory of 3928	4112	w32tm.exe	97
PID 4112 wrote to memory of 3928	4112	w32tm.exe	97

C:\Users\Admin\AppData\Local\Temp\00e6962b5b9e1f1642cb80880b95ba72.exe
"C:\Users\Admin\AppData\Local\Temp\00e6962b5b9e1f1642cb80880b95ba72.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    PID:3928
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /update
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\w32tm.exe
    w32tm /config /update
    3⤵
    PID:2488
- C:\Windows\ntfyapp.exe
  "C:\Windows\ntfyapp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\ntfyapp.exe" enable
    3⤵
    - Modifies Windows Firewall
    PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ntfyapp.config

Filesize
1KB

MD5
85a3e3ee2780fe893a444714ad43fe57

SHA1
cb8484d77e949aeaea6d7beb4522350f20ebc2d4

SHA256
f3be2af0a1a489c9d2922e96da7299d514c9c8a65a87c28a7612b29808a9f03c

SHA512
6acbd280654e42921ee477da438f48c3f5faffd690aaed5fc13893337474119e4a5b9903fc39396c7594f38861298b368b74a6021ddfb80beb9f7175c39e8dfe

Download Submit
C:\Windows\ntfyapp.exe

Filesize
132KB

MD5
00e6962b5b9e1f1642cb80880b95ba72

SHA1
c8d374c5f66aee572edbef80501c570d99451250

SHA256
33a1587a5ab09de9236f32a161e95dc09c4bb2eeff94afe2823000609c3a0136

SHA512
266c453df3da2bb584297722ec46ee7d97136ee94b8900ba2c178b1c9754399df3244107ae587e6fefc8495282e785f0a064051116d09214cf3cfb8eb941270e

Download Submit
memory/384-9-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4868-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4868-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4868-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads