a427d646432979e1ada922b272e55461f41df736f49e614cefc1ac8e8595c340

Analysis

max time kernel
0s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b68e66152b7aecb2ce5916777c470cb.exe
Size

24KB
MD5

3b68e66152b7aecb2ce5916777c470cb
SHA1

7a79df8415180728eb8e5e53b5954dff620e4765
SHA256

a427d646432979e1ada922b272e55461f41df736f49e614cefc1ac8e8595c340
SHA512

84a89d569004ae7a061adabd5650848fe15833a43e303059155c0c78f4f1210524901fca6ae7efad2b8eba4f450a6a463a27188b2fa0baa9a70bb51fb7b98743
SSDEEP

192:E+EsB3ysfnQ6UH1MeOwzxy+4du1DlZrIz26F0sRuxVmrknTQyKHin91dsfI2EtgK:E+EEysfj+MAz8+40lZE66FRHIKHgt5h

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2336	netsh.exe
1924	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2756-13-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4920-12-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x000300000001e982-11.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Shell API32 = "svcnet.exe"	3b68e66152b7aecb2ce5916777c470cb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell API32 = "svcnet.exe"	3b68e66152b7aecb2ce5916777c470cb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcnet.exe	3b68e66152b7aecb2ce5916777c470cb.exe
File opened for modification	C:\Windows\SysWOW64\svcnet.exe	3b68e66152b7aecb2ce5916777c470cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\3b68e66152b7aecb2ce5916777c470cb.exe
"C:\Users\Admin\AppData\Local\Temp\3b68e66152b7aecb2ce5916777c470cb.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4920
- C:\Windows\SysWOW64\svcnet.exe
  "C:\Windows\system32\svcnet.exe"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\713.bat" "
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram C:\Windows\system32\svcnet.exe
    3⤵
    - Modifies Windows Firewall
    PID:2336

C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram "C:\Windows\system32\svcnet.exe"
1⤵
- Modifies Windows Firewall
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\713.bat

Filesize
195B

MD5
bc4f0be74e7338910abd06b7ee4f2a06

SHA1
14ddf950130b4b4645d2d31b02d47fce6b31b699

SHA256
1c778de9de58e0706eb4883691c542944ebbca56a0e6d3af0f035b18f5f8e96b

SHA512
d75c1e09ebad4724e37f0dcecee8dad314a11275a62bd9ece0a91f6e684c8bf41aa17a16274b5e9bbf65f3b63a6d295f22c1a18733782878fb0b8bdb5825d2e5

Download Submit
C:\Windows\SysWOW64\svcnet.exe

Filesize
24KB

MD5
3b68e66152b7aecb2ce5916777c470cb

SHA1
7a79df8415180728eb8e5e53b5954dff620e4765

SHA256
a427d646432979e1ada922b272e55461f41df736f49e614cefc1ac8e8595c340

SHA512
84a89d569004ae7a061adabd5650848fe15833a43e303059155c0c78f4f1210524901fca6ae7efad2b8eba4f450a6a463a27188b2fa0baa9a70bb51fb7b98743

Download Submit
memory/2756-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4920-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4920-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads