Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20231222-en
General
-
Target
Client.exe
-
Size
158KB
-
MD5
2e7c4753050a5bdcbadd1657db58b548
-
SHA1
18e921a0cf1c52b4654a326d96f7e79267a92d16
-
SHA256
5ce6e15bcca3cffcb164dd551242e2bd3fb4c301885cdbef1c622e05ba850706
-
SHA512
a76d0f8512f72b631de998aea3d0d4e02ab34f32b0bda0a8d297f24baeb936945f9ec5a7d74479eac3688b4a3e402956969552109291b3ac60a80138d138fd9a
-
SSDEEP
3072:YOwq4ugpKF8ijfke6lQTvJxWVgD9OkYcG6L4h11tWANNwdNRKAJ:pF8ijMe6lMvJxagD9Ok9pLQtWINcx
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2300 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65aae4c0435d91f223c7162998af570d.exe Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65aae4c0435d91f223c7162998af570d.exe Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\65aae4c0435d91f223c7162998af570d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .." Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\65aae4c0435d91f223c7162998af570d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .." Client.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe Token: 33 2148 Client.exe Token: SeIncBasePriorityPrivilege 2148 Client.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2300 2148 Client.exe 28 PID 2148 wrote to memory of 2300 2148 Client.exe 28 PID 2148 wrote to memory of 2300 2148 Client.exe 28 PID 2148 wrote to memory of 2300 2148 Client.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2300
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1