71fba34c9bd585bddb11ab4c11f6f14408eaadd9483d4435a1abbb864d1d56ce

Analysis

max time kernel
203s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d97770fa4adfd8d3286e9b3c46fcb4b.exe
Size

31KB
MD5

7d97770fa4adfd8d3286e9b3c46fcb4b
SHA1

92d3a80627dcd6a6965a2f0076fd57b470448017
SHA256

71fba34c9bd585bddb11ab4c11f6f14408eaadd9483d4435a1abbb864d1d56ce
SHA512

40f265733ac0b99a526f6592b3d454ea8cd77b92f504e159deb38ea0ccca3c2304899eb5199702befb2458a4924f5827017041ae0c6106ab63576dd54bdcaf35
SSDEEP

768:3JZtrxfA1SXxcjsAUh7L3XzpeN5BL7Rmr2cdov3+srKC:7tlA140mLzQN56PSv3jKC

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	rundll.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2992-0-0x0000000001200000-0x0000000001218000-memory.dmp	upx
behavioral2/memory/2812-3-0x0000000001200000-0x0000000001218000-memory.dmp	upx
behavioral2/memory/2992-5-0x0000000001200000-0x0000000001218000-memory.dmp	upx
behavioral2/memory/2812-14-0x0000000001200000-0x0000000001218000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3616	2812	WerFault.exe	91

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2992	7d97770fa4adfd8d3286e9b3c46fcb4b.exe
2992	7d97770fa4adfd8d3286e9b3c46fcb4b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	2812	rundll.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2812	2992	7d97770fa4adfd8d3286e9b3c46fcb4b.exe	91
PID 2992 wrote to memory of 2812	2992	7d97770fa4adfd8d3286e9b3c46fcb4b.exe	91
PID 2992 wrote to memory of 2812	2992	7d97770fa4adfd8d3286e9b3c46fcb4b.exe	91

C:\Users\Admin\AppData\Local\Temp\7d97770fa4adfd8d3286e9b3c46fcb4b.exe
"C:\Users\Admin\AppData\Local\Temp\7d97770fa4adfd8d3286e9b3c46fcb4b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2992
- C:\windows\rundll.exe
  C:\windows\rundll.exe
  2⤵
  - Modifies firewall policy service
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 908
    3⤵
    - Program crash
    PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2812 -ip 2812
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-3-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download
memory/2812-14-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download
memory/2992-0-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download
memory/2992-5-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads