cf8e8da755fb54f7548f7e339e4eaef0550fcfb07b2ce23ae76464ae01b78b49

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a36dadbf4410a5898f6ed7c408be7743.exe
Size

4.0MB
MD5

a36dadbf4410a5898f6ed7c408be7743
SHA1

371ca2e1773897a2c0b05b99d75b68e7d56890e4
SHA256

cf8e8da755fb54f7548f7e339e4eaef0550fcfb07b2ce23ae76464ae01b78b49
SHA512

d9ad4d4b256bcede002de1ed7bb49d8ea5cb80fb1e60f325589c4204d9d7d1e8a2cf7facbcddb8e18ba3ff607cd983e6b91f1ac40537a3feee4dc321330ebfef
SSDEEP

98304:OLV/exsn/vW9ACWiC0PR3nCSU2yW8DeZRzpwiU0mvyi04:iVG+n3WuCnCqnCSU2yW8D2zpqTE4

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2592	netsh.exe
2588	netsh.exe
2616	netsh.exe
2284	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GbpSv\ImagePath = "explorer.exe C:\\windows\\system32\\svchosts.exe"	sxe40BA.tmp

Executes dropped EXE 1 IoCs

pid	Process
2608	sxe40BA.tmp

Loads dropped DLL 3 IoCs

pid	Process
2232	a36dadbf4410a5898f6ed7c408be7743.exe
2232	a36dadbf4410a5898f6ed7c408be7743.exe
2232	a36dadbf4410a5898f6ed7c408be7743.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SHELL = "C:\\windows\\system32\\svchosts.exe"	sxe40BA.tmp

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\didutrustme26122007.txt	sxe40BA.tmp
File created	C:\windows\SysWOW64\svchosts.exe	sxe40BA.tmp
File opened for modification	C:\windows\SysWOW64\svchosts.exe	sxe40BA.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftWareProtector\novo_out.pr	sxe40BA.tmp

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2636	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2608	sxe40BA.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2232 wrote to memory of 2608	2232	a36dadbf4410a5898f6ed7c408be7743.exe	28
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2528	2608	sxe40BA.tmp	29
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2560	2608	sxe40BA.tmp	30
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2568	2608	sxe40BA.tmp	32
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2660	2608	sxe40BA.tmp	34
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2608 wrote to memory of 2636	2608	sxe40BA.tmp	38
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2528 wrote to memory of 2284	2528	cmd.exe	40
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2560 wrote to memory of 2592	2560	cmd.exe	41
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2660 wrote to memory of 2588	2660	cmd.exe	42
PID 2568 wrote to memory of 2616	2568	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\a36dadbf4410a5898f6ed7c408be7743.exe
"C:\Users\Admin\AppData\Local\Temp\a36dadbf4410a5898f6ed7c408be7743.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\sxe40BA.tmp
  "C:\Users\Admin\AppData\Local\Temp\sxe40BA.tmp"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\WINDOWS\SysWOW64\cmd.exe
    C:\WINDOWS\system32\cmd.exe /c "netsh firewall set opmode mode = enable"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode = enable
      4⤵
      Modifies Windows Firewall
      PID:2284
- - C:\WINDOWS\SysWOW64\cmd.exe
    C:\WINDOWS\system32\cmd.exe /c "netsh firewall set notifications mode = disable"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set notifications mode = disable
      4⤵
      Modifies Windows Firewall
      PID:2592
- - C:\WINDOWS\SysWOW64\cmd.exe
    C:\WINDOWS\system32\cmd.exe /c "netsh firewall set portopening protocol=ALL port=443 name=TESTE mode=DISABLE scope=ALL profile=ALL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set portopening protocol=ALL port=443 name=TESTE mode=DISABLE scope=ALL profile=ALL
      4⤵
      Modifies Windows Firewall
      PID:2616
- - C:\WINDOWS\SysWOW64\cmd.exe
    C:\WINDOWS\system32\cmd.exe /c "netsh firewall set portopening ALL 443 TESTE DISABLE CUSTOM ALL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set portopening ALL 443 TESTE DISABLE CUSTOM ALL
      4⤵
      Modifies Windows Firewall
      PID:2588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
    3⤵
    - Creates scheduled task(s)
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sxe40BA.tmp

Filesize
1.9MB

MD5
bdda64b143a9e9c245ca6890436c40df

SHA1
ab741ee6f8ea1069f63894fb6dfb8763e3331a90

SHA256
02a6357eb636fc8c8eb34a0d49bb81690033ee0e24b8785cde8566d0572f5747

SHA512
1969a3c9062f149454fe55194eaa9765bb0e0cbe50345882fd1609dd14a7f3147413981fcdff79ab299f0b989121c67719b6e9023292e004675d8a99cb23dbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxe40BA.tmp

Filesize
6.9MB

MD5
38f0907893ec64d1d72dd84ca21daf40

SHA1
64d7c4d00781df1b2281266c5f48685df016c59a

SHA256
bd825190879ed4ed87fd62f4a983482215e42f79b073d858eb46be328a733ed9

SHA512
d7666d342447b16674a6fbc311ffa473805d553c3d49052a97433593c2e2c01b81b68f7dc98a135292b99d06130a49cc9d24a99b402b655418aa4640fbd05d1a

Download Submit
\Users\Admin\AppData\Local\Temp\sxe40A8.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
\Users\Admin\AppData\Local\Temp\sxe40BA.tmp

Filesize
2.2MB

MD5
09da1534da5a6583fe90f57c3a523edd

SHA1
6134f33ccaeb7f3c1b4d9df6e8e0d2fb70371af3

SHA256
99dca2c2945ec9e524c447648e9114684aaa8935f7384bc8d439d656d64441d4

SHA512
0ea0c2ce8780f64b142c177a7ab4e9186079606214dafd62f5221313aacb54b26d079f4d68be7dd50a387adce591c243979e29f42fa3d416a738850bff00ca48

Download Submit
\Users\Admin\AppData\Local\Temp\sxe40BA.tmp

Filesize
2.3MB

MD5
0fa2ef74e3cbfd8d4f5ad988b4befd26

SHA1
dc982117cc4186692dfc803a80f7a3a2f05f7196

SHA256
96152963a9209269380a859532860e66f53ff401491dd1cd70bee305497dd850

SHA512
dd37f930a426a8659500ccfc2173729a774477575ced7fe65e73c8422b8e43dec0ad94d977b4030272a76736656e41556c31165c249c6d179aea61bd933ba279

Download Submit
memory/2608-19-0x0000000000400000-0x00000000011C8000-memory.dmp

Filesize
13.8MB

Download
memory/2608-21-0x0000000000400000-0x00000000011C8000-memory.dmp

Filesize
13.8MB

Download
memory/2608-22-0x0000000000400000-0x00000000011C8000-memory.dmp

Filesize
13.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads