Analysis
-
max time kernel
7s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 15:34
Static task
static1
Behavioral task
behavioral1
Sample
299ecd188ad0ca3be20f245bc720969f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
299ecd188ad0ca3be20f245bc720969f.exe
Resource
win10v2004-20231215-en
General
-
Target
299ecd188ad0ca3be20f245bc720969f.exe
-
Size
6KB
-
MD5
299ecd188ad0ca3be20f245bc720969f
-
SHA1
754b5202b9ed40335b6239527e0f0fae62e5f7ab
-
SHA256
4f5eab20ce89ca95f447e6d9215e389d87de0837e444ffd6505e67d681ea77f7
-
SHA512
951bfb24d11abbb6e7930fb3d0f6b9e5ef87fd3508f207f970f30962fc622304ef5556140e7f21501c96f4fe44a337d7d21629e792be457aa7376f6f7b5a3ff3
-
SSDEEP
96:JUvu8PNpQHrsbwOrWnuVE7zgI4XUIi9qxZSf8ejA+s1e3/IESWsKuF:JUvu8PN+3OrJWOVwf8ek+We3/IrWTuF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
299ecd188ad0ca3be20f245bc720969f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\kernels64.exe" 299ecd188ad0ca3be20f245bc720969f.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
299ecd188ad0ca3be20f245bc720969f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernels64.exe" 299ecd188ad0ca3be20f245bc720969f.exe -
Drops file in System32 directory 2 IoCs
Processes:
299ecd188ad0ca3be20f245bc720969f.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kernels64.exe 299ecd188ad0ca3be20f245bc720969f.exe File created C:\Windows\SysWOW64\kernels64.exe 299ecd188ad0ca3be20f245bc720969f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
299ecd188ad0ca3be20f245bc720969f.exepid process 1720 299ecd188ad0ca3be20f245bc720969f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
299ecd188ad0ca3be20f245bc720969f.exedescription pid process target process PID 1720 wrote to memory of 2196 1720 299ecd188ad0ca3be20f245bc720969f.exe netsh.exe PID 1720 wrote to memory of 2196 1720 299ecd188ad0ca3be20f245bc720969f.exe netsh.exe PID 1720 wrote to memory of 2196 1720 299ecd188ad0ca3be20f245bc720969f.exe netsh.exe PID 1720 wrote to memory of 2196 1720 299ecd188ad0ca3be20f245bc720969f.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\299ecd188ad0ca3be20f245bc720969f.exe"C:\Users\Admin\AppData\Local\Temp\299ecd188ad0ca3be20f245bc720969f.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram C:\Users\Admin\AppData\Local\Temp\299ecd188ad0ca3be20f245bc720969f.exe enable2⤵
- Modifies Windows Firewall
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1