50dbc6f2cdd5dbdf391a1ebe96023e305cfe64591cd457859cbf5296be4ce624

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04cb94f8d080736177003426a336e73a.exe
Size

154KB
MD5

04cb94f8d080736177003426a336e73a
SHA1

1e6d9ca37d10297d80fe86793d7913b1e0c3c6ec
SHA256

50dbc6f2cdd5dbdf391a1ebe96023e305cfe64591cd457859cbf5296be4ce624
SHA512

4e44e5e3685fccd2965ff1435cc09498f97bb67ee76128ac423b12fac28cf7248ccb106591245b7ba346a0f08e5ad7c7ce55d0cf5203de8c63ecfa3b3684a083
SSDEEP

3072:faSZDyMM6Gqgcou7+J/a83z8+lzukia7Ll/2fDbvdClWjwSV/ZTeY:faAnD7CXZlhFqDbvYAz

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1036	netsh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000400000-0x0000000000870000-memory.dmp	upx
behavioral1/memory/1712-6-0x0000000000400000-0x0000000000870000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpgrade = "C:\\WINDOWS\\inetinfx.exe"	04cb94f8d080736177003426a336e73a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\inetinfx.exe	04cb94f8d080736177003426a336e73a.exe
File opened for modification	C:\WINDOWS\inetinfx.exe	04cb94f8d080736177003426a336e73a.exe
File created	C:\Windows\inidirx.ini	04cb94f8d080736177003426a336e73a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1712	04cb94f8d080736177003426a336e73a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1036	1712	04cb94f8d080736177003426a336e73a.exe	28
PID 1712 wrote to memory of 1036	1712	04cb94f8d080736177003426a336e73a.exe	28
PID 1712 wrote to memory of 1036	1712	04cb94f8d080736177003426a336e73a.exe	28
PID 1712 wrote to memory of 1036	1712	04cb94f8d080736177003426a336e73a.exe	28

C:\Users\Admin\AppData\Local\Temp\04cb94f8d080736177003426a336e73a.exe
"C:\Users\Admin\AppData\Local\Temp\04cb94f8d080736177003426a336e73a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  - Modifies Windows Firewall
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-0-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1712-6-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads