Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 20:08
Behavioral task
behavioral1
Sample
CEE364A8874C51C46545841113BD0EDD.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
CEE364A8874C51C46545841113BD0EDD.exe
Resource
win10v2004-20231215-en
General
-
Target
CEE364A8874C51C46545841113BD0EDD.exe
-
Size
23KB
-
MD5
cee364a8874c51c46545841113bd0edd
-
SHA1
271efcea6c3518b9127470afabbf2b8a00ef59c2
-
SHA256
bd523059a2fecc46b359e559321dbc1986177ef5432299bc3c84ce4b3140d866
-
SHA512
6bcc338f000ba4d832fe9e105d98e1770258b7fce222380f9808e33028cbde7d4cbc8e33e887353e0eb1686653229b0e244524e54eff5f9450fc9401e37915db
-
SSDEEP
384:CY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3tVmRvR6JZlbw8hqIusZzZag:VL2s+tRdRpcnuU
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2088 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CEE364A8874C51C46545841113BD0EDD.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CEE364A8874C51C46545841113BD0EDD.exe\" .." CEE364A8874C51C46545841113BD0EDD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CEE364A8874C51C46545841113BD0EDD.exe\" .." CEE364A8874C51C46545841113BD0EDD.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
CEE364A8874C51C46545841113BD0EDD.exedescription pid process Token: SeDebugPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: 33 2080 CEE364A8874C51C46545841113BD0EDD.exe Token: SeIncBasePriorityPrivilege 2080 CEE364A8874C51C46545841113BD0EDD.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
CEE364A8874C51C46545841113BD0EDD.exedescription pid process target process PID 2080 wrote to memory of 2088 2080 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe PID 2080 wrote to memory of 2088 2080 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe PID 2080 wrote to memory of 2088 2080 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe PID 2080 wrote to memory of 2088 2080 CEE364A8874C51C46545841113BD0EDD.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CEE364A8874C51C46545841113BD0EDD.exe"C:\Users\Admin\AppData\Local\Temp\CEE364A8874C51C46545841113BD0EDD.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CEE364A8874C51C46545841113BD0EDD.exe" "CEE364A8874C51C46545841113BD0EDD.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2080-1-0x00000000004A0000-0x00000000004E0000-memory.dmpFilesize
256KB
-
memory/2080-2-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2080-0-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2080-3-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2080-4-0x00000000004A0000-0x00000000004E0000-memory.dmpFilesize
256KB