Analysis
-
max time kernel
72s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231215-en
General
-
Target
file.exe
-
Size
1.1MB
-
MD5
072932d63a4fdc222735e6f713a514ae
-
SHA1
cdb200e4c759600e4a83e450fbd67a7682526ea9
-
SHA256
eb27d4fc56e8a66e9fb47d0b73b752f963855ac169130d55a488709caa466bba
-
SHA512
c7512594cb7ee7d9d3b3f71ff8931441932473d25561d946f55aface0c704b01a4f7bbbc8fc53b30e1cf1be10030c91186988f0ba6183485037924bb83db8702
-
SSDEEP
24576:La5ou5FEgQHe/Hlh9dJs3duzm413cig9gUfHSA+U:EouPx/363duzm413cr9gUqZ
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" dc.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
pid Process 2484 netsh.exe 1924 netsh.exe 2844 netsh.exe 2608 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 1900 dc.exe 2016 svchost.exe 2272 dc.exe -
Loads dropped DLL 2 IoCs
pid Process 2500 file.exe 2500 file.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection dc.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol dc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini dc.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol dc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\System\svchost.exe file.exe File opened for modification C:\Windows\System\svchost.exe file.exe File created C:\Windows\System\xxx1.bak svchost.exe File opened for modification C:\Windows\System\dc.exe svchost.exe File created C:\Windows\System\xxx1.bak file.exe File opened for modification C:\Windows\System\dc.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2656 powershell.exe 2748 powershell.exe 1900 dc.exe 1900 dc.exe 2500 file.exe 868 powershell.exe 1304 powershell.exe 2272 dc.exe 2272 dc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2844 2500 file.exe 29 PID 2500 wrote to memory of 2844 2500 file.exe 29 PID 2500 wrote to memory of 2844 2500 file.exe 29 PID 2500 wrote to memory of 2608 2500 file.exe 31 PID 2500 wrote to memory of 2608 2500 file.exe 31 PID 2500 wrote to memory of 2608 2500 file.exe 31 PID 2500 wrote to memory of 2748 2500 file.exe 33 PID 2500 wrote to memory of 2748 2500 file.exe 33 PID 2500 wrote to memory of 2748 2500 file.exe 33 PID 2500 wrote to memory of 2656 2500 file.exe 35 PID 2500 wrote to memory of 2656 2500 file.exe 35 PID 2500 wrote to memory of 2656 2500 file.exe 35 PID 2500 wrote to memory of 1900 2500 file.exe 37 PID 2500 wrote to memory of 1900 2500 file.exe 37 PID 2500 wrote to memory of 1900 2500 file.exe 37 PID 2500 wrote to memory of 1900 2500 file.exe 37 PID 2500 wrote to memory of 2200 2500 file.exe 42 PID 2500 wrote to memory of 2200 2500 file.exe 42 PID 2500 wrote to memory of 2200 2500 file.exe 42 PID 2500 wrote to memory of 1708 2500 file.exe 44 PID 2500 wrote to memory of 1708 2500 file.exe 44 PID 2500 wrote to memory of 1708 2500 file.exe 44 PID 2500 wrote to memory of 2016 2500 file.exe 46 PID 2500 wrote to memory of 2016 2500 file.exe 46 PID 2500 wrote to memory of 2016 2500 file.exe 46 PID 2016 wrote to memory of 2484 2016 svchost.exe 48 PID 2016 wrote to memory of 2484 2016 svchost.exe 48 PID 2016 wrote to memory of 2484 2016 svchost.exe 48 PID 2016 wrote to memory of 1924 2016 svchost.exe 50 PID 2016 wrote to memory of 1924 2016 svchost.exe 50 PID 2016 wrote to memory of 1924 2016 svchost.exe 50 PID 2016 wrote to memory of 868 2016 svchost.exe 52 PID 2016 wrote to memory of 868 2016 svchost.exe 52 PID 2016 wrote to memory of 868 2016 svchost.exe 52 PID 2016 wrote to memory of 1304 2016 svchost.exe 54 PID 2016 wrote to memory of 1304 2016 svchost.exe 54 PID 2016 wrote to memory of 1304 2016 svchost.exe 54 PID 2016 wrote to memory of 2272 2016 svchost.exe 56 PID 2016 wrote to memory of 2272 2016 svchost.exe 56 PID 2016 wrote to memory of 2272 2016 svchost.exe 56 PID 2016 wrote to memory of 2272 2016 svchost.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2844
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System\dc.exe"C:\Windows\System\dc.exe" /D2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:2200
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:1708
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2484
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System\dc.exe"C:\Windows\System\dc.exe" /D3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:436
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD507232b64be72593980cd952e8f85017e
SHA161dba57cc51f4501ace3520e2cf559d8e42e04d7
SHA256ef342bcc3c938c2fa9b38bc84019d8dce94d018372f7d9c29a8ee7ff3f0fc3a8
SHA512d5417f270e14fe3437c0d017e037117001377379475531b70f9d6840548dd830117fbf62c152c9af09f586bdf944edac330bc560cca4fa45105269319e7158cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5228c22ed89a894a8103a50bcc727e6b8
SHA163f5d0fb8159597af848cadd8885d3e25445ce27
SHA2562684734fd4b56ead9adad039177f0f90764e8444d3ec28a84aa5aca1e75520b7
SHA5128467318719ebfefbc4b89239a4f866c5dbea5b04cf66fa556edfb745404b9f4c1bd9a8abd1b39afa8fa5a372b9e9757fbd7b93a8d36291d9cdd4fd03a3be8bac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a548e3a182d431496c3c25049fddd413
SHA1f56250f089732e82e72755aaf0e0d44f6e7bc3ed
SHA256dd973423ce6b065fd0e7b5dbae865776f5920791e431f3f4b4bc550e13fd42da
SHA51298c68829103ba30f566eed9ab253da4b86103db5ea8f4ecf1a2eda0c697ae20b9829676de68f06c0c31358176f801bfd829e36431a68fc079480e7efc562ee4f
-
Filesize
160B
MD558f8eb09a822c09fc11f5a42baae36f1
SHA19e7063eeee62c8588e0020bef3a116e9379966aa
SHA2566509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a
SHA51253806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
44KB
MD5a92aebac605644987f13efe616317941
SHA1f1110e7ca344ae804936af94abfe1e720e8bf408
SHA2560e19874d39f70c47ba63d6f2f434952ec0f12454f20ff4ba6ea67df3720c405f
SHA512da0d89dced8f06c7edc6e41f8439a0cae9d5a1d62154c8d14770237efd61e91820435df0bf89371e4b5abb1ffa8e639809b3a2f8f6a4cc3e1c5af09cba726317
-
Filesize
50KB
MD52bcad11218e525ed71f66a81a386d82c
SHA16242577f8d697fb7c3e32e1dd17cc7ed511dc736
SHA2560c517c8e3ecb30e3ea46d7e37b2681f5c3cbc11999b2058c8e489e97353fca3f
SHA512238dea5d9d8ffbc3702f817f3a458d9ba1d15e18f165a13577a6051509b27065df1c784e162ebcad34ca53cebfccb916ab968ffb8aaeeb059b7ef6a5a56db3a8
-
Filesize
763KB
MD50a50081a6cd37aea0945c91de91c5d97
SHA1755309c6d9fa4cd13b6c867cde01cc1e0d415d00
SHA2566606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b
SHA512f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846
-
Filesize
1.1MB
MD5072932d63a4fdc222735e6f713a514ae
SHA1cdb200e4c759600e4a83e450fbd67a7682526ea9
SHA256eb27d4fc56e8a66e9fb47d0b73b752f963855ac169130d55a488709caa466bba
SHA512c7512594cb7ee7d9d3b3f71ff8931441932473d25561d946f55aface0c704b01a4f7bbbc8fc53b30e1cf1be10030c91186988f0ba6183485037924bb83db8702