Analysis
-
max time kernel
163s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 20:05
Behavioral task
behavioral1
Sample
CEE364A8874C51C46545841113BD0EDD.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
CEE364A8874C51C46545841113BD0EDD.exe
Resource
win10v2004-20231215-en
General
-
Target
CEE364A8874C51C46545841113BD0EDD.exe
-
Size
23KB
-
MD5
cee364a8874c51c46545841113bd0edd
-
SHA1
271efcea6c3518b9127470afabbf2b8a00ef59c2
-
SHA256
bd523059a2fecc46b359e559321dbc1986177ef5432299bc3c84ce4b3140d866
-
SHA512
6bcc338f000ba4d832fe9e105d98e1770258b7fce222380f9808e33028cbde7d4cbc8e33e887353e0eb1686653229b0e244524e54eff5f9450fc9401e37915db
-
SSDEEP
384:CY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3tVmRvR6JZlbw8hqIusZzZag:VL2s+tRdRpcnuU
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1448 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CEE364A8874C51C46545841113BD0EDD.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CEE364A8874C51C46545841113BD0EDD.exe\" .." CEE364A8874C51C46545841113BD0EDD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CEE364A8874C51C46545841113BD0EDD.exe\" .." CEE364A8874C51C46545841113BD0EDD.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
CEE364A8874C51C46545841113BD0EDD.exedescription pid process Token: SeDebugPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 4560 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 4560 CEE364A8874C51C46545841113BD0EDD.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
CEE364A8874C51C46545841113BD0EDD.exedescription pid process target process PID 4560 wrote to memory of 1448 4560 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe PID 4560 wrote to memory of 1448 4560 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe PID 4560 wrote to memory of 1448 4560 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CEE364A8874C51C46545841113BD0EDD.exe"C:\Users\Admin\AppData\Local\Temp\CEE364A8874C51C46545841113BD0EDD.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CEE364A8874C51C46545841113BD0EDD.exe" "CEE364A8874C51C46545841113BD0EDD.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4560-0-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/4560-1-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/4560-2-0x0000000001640000-0x0000000001650000-memory.dmpFilesize
64KB
-
memory/4560-3-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/4560-4-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/4560-5-0x0000000001640000-0x0000000001650000-memory.dmpFilesize
64KB