Analysis
-
max time kernel
227s -
max time network
288s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 09:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6306f11b58b3101f8733917a7e55f624.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
6306f11b58b3101f8733917a7e55f624.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6306f11b58b3101f8733917a7e55f624.exe
-
Size
186KB
-
MD5
6306f11b58b3101f8733917a7e55f624
-
SHA1
710abd7c511f4b1ab964c2e1f2f11c49cf280323
-
SHA256
54a02c62da5909f1cb2c52a87925c58e559c3d789a3997417e705877cc9ba215
-
SHA512
e3a5a218f4efe3d2ed385cf3cf7a5e51fcb557e1ce3353cb48de177e7e093683204927adf1cbb770816a2422e83462d2bf7a563f2a8b531fb7e8d97f5d746426
-
SSDEEP
3072:jFjAY9/TB7tqg/4mwEG/erxGl1IlMAta77kFV3PLkTfxla:xcuVP2E8HA8kP/LCfa
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts services.exe -
Modifies security service 2 TTPs 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo services.exe -
Deletes itself 1 IoCs
pid Process 836 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1196 Explorer.EXE 464 services.exe -
Registers COM server for autorun 1 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$6367fb4bb5c9d074f341f311a16214c0\\n." 6306f11b58b3101f8733917a7e55f624.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 6306f11b58b3101f8733917a7e55f624.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both" 6306f11b58b3101f8733917a7e55f624.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3308111660-3636268597-2291490419-1000\\$6367fb4bb5c9d074f341f311a16214c0\\n." 6306f11b58b3101f8733917a7e55f624.exe -
Unexpected DNS network traffic destination 18 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 194.165.17.3 Destination IP 194.165.17.3 Destination IP 194.165.17.3 Destination IP 194.165.17.3 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 194.165.17.3 Destination IP 194.165.17.3 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 194.165.17.3 Destination IP 194.165.17.3 Destination IP 66.85.130.234 Destination IP 194.165.17.3 Destination IP 66.85.130.234 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2844 set thread context of 836 2844 6306f11b58b3101f8733917a7e55f624.exe 27 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\clsid 6306f11b58b3101f8733917a7e55f624.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} 6306f11b58b3101f8733917a7e55f624.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 6306f11b58b3101f8733917a7e55f624.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both" 6306f11b58b3101f8733917a7e55f624.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3308111660-3636268597-2291490419-1000\\$6367fb4bb5c9d074f341f311a16214c0\\n." 6306f11b58b3101f8733917a7e55f624.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$6367fb4bb5c9d074f341f311a16214c0\\n." 6306f11b58b3101f8733917a7e55f624.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2844 6306f11b58b3101f8733917a7e55f624.exe 2844 6306f11b58b3101f8733917a7e55f624.exe 2844 6306f11b58b3101f8733917a7e55f624.exe 2844 6306f11b58b3101f8733917a7e55f624.exe 2844 6306f11b58b3101f8733917a7e55f624.exe 2844 6306f11b58b3101f8733917a7e55f624.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2844 6306f11b58b3101f8733917a7e55f624.exe Token: SeDebugPrivilege 2844 6306f11b58b3101f8733917a7e55f624.exe Token: SeDebugPrivilege 2844 6306f11b58b3101f8733917a7e55f624.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2844 wrote to memory of 1196 2844 6306f11b58b3101f8733917a7e55f624.exe 11 PID 2844 wrote to memory of 1196 2844 6306f11b58b3101f8733917a7e55f624.exe 11 PID 2844 wrote to memory of 464 2844 6306f11b58b3101f8733917a7e55f624.exe 2 PID 2844 wrote to memory of 836 2844 6306f11b58b3101f8733917a7e55f624.exe 27 PID 2844 wrote to memory of 836 2844 6306f11b58b3101f8733917a7e55f624.exe 27 PID 2844 wrote to memory of 836 2844 6306f11b58b3101f8733917a7e55f624.exe 27 PID 2844 wrote to memory of 836 2844 6306f11b58b3101f8733917a7e55f624.exe 27 PID 2844 wrote to memory of 836 2844 6306f11b58b3101f8733917a7e55f624.exe 27
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\6306f11b58b3101f8733917a7e55f624.exe"C:\Users\Admin\AppData\Local\Temp\6306f11b58b3101f8733917a7e55f624.exe"2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:836
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58abd5ac79e8b924f73e4b07ca7919108
SHA142c2acc95ae72335e6af05682e4de76a38a94978
SHA25634fe3d545e488f1c88cfd445c2a8cb76f21089dd2c947dcead4157483ac403fb
SHA5121ba19dfb655eb17525a764f992ed6620febce56ca1fa2bf4c8accfa546a7d6eb1afb80f6612d2e27ae1f6c4db514dc88f0f0482ddb590b3197b25765a47fb0fb
-
Filesize
25KB
MD59e0cd37b6d0809cf7d5fa5b521538d0d
SHA1411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2
SHA25655d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2
SHA512b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5