Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 02:13
Static task
static1
Behavioral task
behavioral1
Sample
241d6106ba1b70901bd21adfb93e654a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
241d6106ba1b70901bd21adfb93e654a.exe
Resource
win10v2004-20231215-en
General
-
Target
241d6106ba1b70901bd21adfb93e654a.exe
-
Size
119KB
-
MD5
241d6106ba1b70901bd21adfb93e654a
-
SHA1
5d3e2035e12a7f6e0453bf5f1d030a50c9f6a26e
-
SHA256
0a2c849b16b29ec9300cee1e218f71a519fd5c507b1047bd4692a4b42ff83580
-
SHA512
000b805db2bfe62db028ed20f1889e6ec364878b36d845af25db2235112c9b52f819d559925391da23c5f54f7f04c9e889b6d75e8f486946c2e07911c643cbaa
-
SSDEEP
1536:q9CP6Azl6VEuIkL9VobQ5UwqAL2pp/rkww/ijc3OM6Xc+E1uYEXcfTxXciZsOn:q9CPxAdIkL7olwl0poKjc3O7DYEXsHT
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 241d6106ba1b70901bd21adfb93e654a.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe:*:Enabled:Microsoft® Windows System" 241d6106ba1b70901bd21adfb93e654a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows System = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe" 241d6106ba1b70901bd21adfb93e654a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription pid process target process PID 2372 set thread context of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
241d6106ba1b70901bd21adfb93e654a.exedescription pid process target process PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe PID 2372 wrote to memory of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"2⤵
- Modifies firewall policy service
- Adds Run key to start application
-
C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"3⤵
-
C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2144-8-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-19-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-16-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2144-12-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-10-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-18-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-6-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-4-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2144-2-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2372-1-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/2372-0-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/2412-33-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/2412-32-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB