Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 12:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
72454051b03c281f006cd3f8e88426b3.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
72454051b03c281f006cd3f8e88426b3.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
72454051b03c281f006cd3f8e88426b3.exe
-
Size
673KB
-
MD5
72454051b03c281f006cd3f8e88426b3
-
SHA1
05bfa914bd7b1b64ffbf0bba9bd8ee78e17956b7
-
SHA256
5998bc5d720691c9a28f1c3d2fafb55195be1a1afdda292064d9fb9aef9ae04b
-
SHA512
d13cde9152191dacb811a81831a5106b2ccec49c6a366aabe4254f99d628f867bc4b64747c958dbdfe4321b70a811b2d46e21cd33925697fc5395d22920d7a46
-
SSDEEP
12288:JMnBszy90Q7YX+CFTc5GDnbu/qmvSBjh+4nqjuwNhyiIgf96rNiBW:wszyUTmGf8Dv2VLqNNhyilYrNi
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\0000000000000000000000000000003333333333333333333333333333322222222222222222222222222222222222 = "C:\\Users\\Admin\\AppData\\Roaming\\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\\new.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\update.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run update.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\\new.exe" update.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B17D053-BDCE-AAED-BAAB-BAB8C0ACCFAD} update.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B17D053-BDCE-AAED-BAAB-BAB8C0ACCFAD}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\\new.exe" update.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8B17D053-BDCE-AAED-BAAB-BAB8C0ACCFAD} update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{8B17D053-BDCE-AAED-BAAB-BAB8C0ACCFAD}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\\new.exe" update.exe -
Executes dropped EXE 6 IoCs
pid Process 1888 update.exe 1812 update.exe 2744 update.exe 2752 update.exe 1300 update.exe 1616 update.exe -
Loads dropped DLL 22 IoCs
pid Process 1888 update.exe 1888 update.exe 1888 update.exe 1888 update.exe 1812 update.exe 1812 update.exe 1812 update.exe 2744 update.exe 2744 update.exe 2744 update.exe 1812 update.exe 2752 update.exe 2752 update.exe 2752 update.exe 2744 update.exe 1300 update.exe 1300 update.exe 1300 update.exe 1300 update.exe 1616 update.exe 1616 update.exe 1616 update.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 72454051b03c281f006cd3f8e88426b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\\new.exe" update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\\new.exe" update.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 update.exe File opened for modification \??\PhysicalDrive0 update.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1888 set thread context of 1812 1888 update.exe 29 PID 1812 set thread context of 2752 1812 update.exe 30 PID 2744 set thread context of 1300 2744 update.exe 44 PID 1300 set thread context of 1616 1300 update.exe 45 -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1724 reg.exe 2648 reg.exe 2280 reg.exe 2040 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2752 update.exe Token: SeCreateTokenPrivilege 2752 update.exe Token: SeAssignPrimaryTokenPrivilege 2752 update.exe Token: SeLockMemoryPrivilege 2752 update.exe Token: SeIncreaseQuotaPrivilege 2752 update.exe Token: SeMachineAccountPrivilege 2752 update.exe Token: SeTcbPrivilege 2752 update.exe Token: SeSecurityPrivilege 2752 update.exe Token: SeTakeOwnershipPrivilege 2752 update.exe Token: SeLoadDriverPrivilege 2752 update.exe Token: SeSystemProfilePrivilege 2752 update.exe Token: SeSystemtimePrivilege 2752 update.exe Token: SeProfSingleProcessPrivilege 2752 update.exe Token: SeIncBasePriorityPrivilege 2752 update.exe Token: SeCreatePagefilePrivilege 2752 update.exe Token: SeCreatePermanentPrivilege 2752 update.exe Token: SeBackupPrivilege 2752 update.exe Token: SeRestorePrivilege 2752 update.exe Token: SeShutdownPrivilege 2752 update.exe Token: SeDebugPrivilege 2752 update.exe Token: SeAuditPrivilege 2752 update.exe Token: SeSystemEnvironmentPrivilege 2752 update.exe Token: SeChangeNotifyPrivilege 2752 update.exe Token: SeRemoteShutdownPrivilege 2752 update.exe Token: SeUndockPrivilege 2752 update.exe Token: SeSyncAgentPrivilege 2752 update.exe Token: SeEnableDelegationPrivilege 2752 update.exe Token: SeManageVolumePrivilege 2752 update.exe Token: SeImpersonatePrivilege 2752 update.exe Token: SeCreateGlobalPrivilege 2752 update.exe Token: 31 2752 update.exe Token: 32 2752 update.exe Token: 33 2752 update.exe Token: 34 2752 update.exe Token: 35 2752 update.exe Token: SeDebugPrivilege 2752 update.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1888 update.exe 1812 update.exe 2744 update.exe 2752 update.exe 2752 update.exe 2752 update.exe 1300 update.exe 1616 update.exe 1616 update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 2928 wrote to memory of 1888 2928 72454051b03c281f006cd3f8e88426b3.exe 28 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 1888 wrote to memory of 1812 1888 update.exe 29 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 2928 wrote to memory of 2744 2928 72454051b03c281f006cd3f8e88426b3.exe 31 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 1812 wrote to memory of 2752 1812 update.exe 30 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2732 2752 update.exe 39 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2880 2752 update.exe 38 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2764 2752 update.exe 37 PID 2752 wrote to memory of 2708 2752 update.exe 32 PID 2752 wrote to memory of 2708 2752 update.exe 32 PID 2752 wrote to memory of 2708 2752 update.exe 32 PID 2752 wrote to memory of 2708 2752 update.exe 32 PID 2752 wrote to memory of 2708 2752 update.exe 32 PID 2752 wrote to memory of 2708 2752 update.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\72454051b03c281f006cd3f8e88426b3.exe"C:\Users\Admin\AppData\Local\Temp\72454051b03c281f006cd3f8e88426b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\new.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\new.exe:*:Enabled:Windows Messanger" /f5⤵PID:2708
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\new.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\00000000000000000000000000000033333333333333333333333333333222222222222222222222222222222222222222222666666666666666666666666666666666666999999999999999999999999999\new.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵PID:2764
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe:*:Enabled:Windows Messanger" /f5⤵PID:2880
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵PID:2732
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2280
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD58b0075d01feddc0e208f8f2aae108b7f
SHA16053422705f97eaada22b36f18fce84d25b52122
SHA2562f91707c2f568417938f4aea7783e4056f573675440af224e02c5961ad071832
SHA512f476e00f2fae5fb4c9914b52ea6f54f58c9bd26d4e2c2ee97837e1be84498f73fd65293366dd3bd4f3b39425eec7a9826312d0347d2de96290467ab4a86e247c