Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 16:01
Behavioral task
behavioral1
Sample
7B1809B4AA561D6A694744164831856A.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7B1809B4AA561D6A694744164831856A.exe
Resource
win10v2004-20231222-en
General
-
Target
7B1809B4AA561D6A694744164831856A.exe
-
Size
23KB
-
MD5
7b1809b4aa561d6a694744164831856a
-
SHA1
efa9b84a0e9f0c8ae1dd1fb0c7b28366ca3c04bf
-
SHA256
f44f9ca899f0ac7efc49d491703f249b86f4863914baddd8cedeb3646d0086ae
-
SHA512
ad3dbf695d19b9224f23af11793a2520a7717b8b545b4561046bd033161e13a11286374b0f17234aacf9247864c106db5323e2327f10b885a98ec62b44f55afe
-
SSDEEP
384:HY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3tVmRvR6JZlbw8hqIusZzZaA:QL2s+tRdRpcnuk
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2276 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7B1809B4AA561D6A694744164831856A.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7B1809B4AA561D6A694744164831856A.exe\" .." 7B1809B4AA561D6A694744164831856A.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7B1809B4AA561D6A694744164831856A.exe\" .." 7B1809B4AA561D6A694744164831856A.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
7B1809B4AA561D6A694744164831856A.exedescription pid process Token: SeDebugPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe Token: 33 2340 7B1809B4AA561D6A694744164831856A.exe Token: SeIncBasePriorityPrivilege 2340 7B1809B4AA561D6A694744164831856A.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7B1809B4AA561D6A694744164831856A.exedescription pid process target process PID 2340 wrote to memory of 2276 2340 7B1809B4AA561D6A694744164831856A.exe netsh.exe PID 2340 wrote to memory of 2276 2340 7B1809B4AA561D6A694744164831856A.exe netsh.exe PID 2340 wrote to memory of 2276 2340 7B1809B4AA561D6A694744164831856A.exe netsh.exe PID 2340 wrote to memory of 2276 2340 7B1809B4AA561D6A694744164831856A.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7B1809B4AA561D6A694744164831856A.exe"C:\Users\Admin\AppData\Local\Temp\7B1809B4AA561D6A694744164831856A.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7B1809B4AA561D6A694744164831856A.exe" "7B1809B4AA561D6A694744164831856A.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2340-0-0x0000000074CD0000-0x000000007527B000-memory.dmpFilesize
5.7MB
-
memory/2340-2-0x0000000000710000-0x0000000000750000-memory.dmpFilesize
256KB
-
memory/2340-1-0x0000000074CD0000-0x000000007527B000-memory.dmpFilesize
5.7MB
-
memory/2340-3-0x0000000074CD0000-0x000000007527B000-memory.dmpFilesize
5.7MB
-
memory/2340-4-0x0000000074CD0000-0x000000007527B000-memory.dmpFilesize
5.7MB
-
memory/2340-5-0x0000000000710000-0x0000000000750000-memory.dmpFilesize
256KB