Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:19
Behavioral task
behavioral1
Sample
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe
Resource
win7-20231129-en
General
-
Target
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe
-
Size
3.5MB
-
MD5
a9e5109e14562508b2b2a03a60dc7202
-
SHA1
bbe5b84d9d3ad7ca2fb34602182297f3ae669611
-
SHA256
c62d65e49cda2653b185ba181c1ad775955e10f6550acde60562e90d35861045
-
SHA512
1e93b71a563e3f853f0a8d7ca83d32b147a058bb9dba4867cec31cce68a1d19357442b3684c10014be025570fef7e5b432d9ad007b915b0df9428390b2b718e4
-
SSDEEP
49152:XkLUJbzk8o21UsNT7I35W4AShA+SdhtkCu/BaC8UWF:X7XkkNpIJAkA+otSZax
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2508 netsh.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\325ed1ae2a47f27cdcc228f42fff7da3.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\325ed1ae2a47f27cdcc228f42fff7da3.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2184 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\325ed1ae2a47f27cdcc228f42fff7da3 = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\325ed1ae2a47f27cdcc228f42fff7da3 = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svchost.exedescription ioc process File opened for modification C:\autorun.inf svchost.exe File created D:\autorun.inf svchost.exe File created F:\autorun.inf svchost.exe File opened for modification F:\autorun.inf svchost.exe File created C:\autorun.inf svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exesvchost.exedescription ioc process File created C:\Windows\svchost.exe 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe File opened for modification C:\Windows\svchost.exe 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe File opened for modification C:\Windows\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exesvchost.exedescription pid process target process PID 1068 wrote to memory of 2184 1068 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 1068 wrote to memory of 2184 1068 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 1068 wrote to memory of 2184 1068 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 1068 wrote to memory of 2184 1068 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 2184 wrote to memory of 2508 2184 svchost.exe netsh.exe PID 2184 wrote to memory of 2508 2184 svchost.exe netsh.exe PID 2184 wrote to memory of 2508 2184 svchost.exe netsh.exe PID 2184 wrote to memory of 2508 2184 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe"C:\Users\Admin\AppData\Local\Temp\2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeFilesize
3.5MB
MD5a9e5109e14562508b2b2a03a60dc7202
SHA1bbe5b84d9d3ad7ca2fb34602182297f3ae669611
SHA256c62d65e49cda2653b185ba181c1ad775955e10f6550acde60562e90d35861045
SHA5121e93b71a563e3f853f0a8d7ca83d32b147a058bb9dba4867cec31cce68a1d19357442b3684c10014be025570fef7e5b432d9ad007b915b0df9428390b2b718e4
-
memory/1068-0-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/1068-1-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/1068-2-0x0000000002660000-0x00000000026A0000-memory.dmpFilesize
256KB
-
memory/1068-9-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2184-10-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2184-11-0x0000000002500000-0x0000000002540000-memory.dmpFilesize
256KB
-
memory/2184-21-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB