Analysis
-
max time kernel
46s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe
Resource
win10v2004-20231215-en
General
-
Target
FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe
-
Size
202KB
-
MD5
6844009e77c318557b56321ef774e997
-
SHA1
081dec0183da2e2bff23a677e33f432830bc6544
-
SHA256
7303b66f166c3986b0559091eeae3ca799493362e6ed7b2522c00a209faa4d87
-
SHA512
c595dee2821c479f11fedec5ee858e488f85709405bcd4cdb4c42e96da9975b667fb2aef4e3623ced7495de0c42c9b6950793c3125f6d9fead9bfee079bb3bc5
-
SSDEEP
6144:4ZJyuMNTL2Nt+gvuIwC3bPuxpagWcR8fyT:4wV5iX+gvB3y/agxYyT
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static services.exe -
Modifies security service 2 TTPs 26 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Type = "32" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32" services.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1" services.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security services.exe -
Deletes itself 1 IoCs
pid Process 2844 cmd.exe -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini services.exe File created \systemroot\assembly\GAC_32\Desktop.ini services.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2104 set thread context of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Installer\{eff0c3f9-890e-6eae-e5dd-3a8f877feaa7}\@ FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 480 services.exe 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe Token: SeDebugPrivilege 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe Token: SeDebugPrivilege 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe Token: SeBackupPrivilege 480 services.exe Token: SeRestorePrivilege 480 services.exe Token: SeSecurityPrivilege 480 services.exe Token: SeTakeOwnershipPrivilege 480 services.exe Token: SeBackupPrivilege 480 services.exe Token: SeRestorePrivilege 480 services.exe Token: SeSecurityPrivilege 480 services.exe Token: SeTakeOwnershipPrivilege 480 services.exe Token: SeBackupPrivilege 480 services.exe Token: SeRestorePrivilege 480 services.exe Token: SeSecurityPrivilege 480 services.exe Token: SeTakeOwnershipPrivilege 480 services.exe Token: SeBackupPrivilege 480 services.exe Token: SeRestorePrivilege 480 services.exe Token: SeSecurityPrivilege 480 services.exe Token: SeTakeOwnershipPrivilege 480 services.exe Token: SeBackupPrivilege 480 services.exe Token: SeRestorePrivilege 480 services.exe Token: SeSecurityPrivilege 480 services.exe Token: SeTakeOwnershipPrivilege 480 services.exe Token: SeDebugPrivilege 480 services.exe Token: SeBackupPrivilege 480 services.exe Token: SeRestorePrivilege 480 services.exe Token: SeSecurityPrivilege 480 services.exe Token: SeTakeOwnershipPrivilege 480 services.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1184 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 13 PID 2104 wrote to memory of 480 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 2 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28 PID 2104 wrote to memory of 2844 2104 FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe 28
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Modifies firewall policy service
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe"C:\Users\Admin\AppData\Local\Temp\FREE_INTERNET_TV_V3_8_0_0_V3_patch_by_FUTURiTY.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:2844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e934d5e687f525ee5b99fc2489975088
SHA1b225d16ceb889b5ade370a2c4527cfdfb485ff5a
SHA256fd9ebba0618691f022df66b1e346f59a6e1f5e119d3937a62e0aa70dc7b0792f
SHA512a47e8cbbf285c090c2810f55120d88e58d71bb1f0fd07fadac055dd20d81a16764a8a76418417ff7ccfc247af6c940c8cf84fd2b6ac0f036ccc246bd8554d266