Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 09:22
Static task
static1
Behavioral task
behavioral1
Sample
be3f0baa13fecfbf44e07583e2351df7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be3f0baa13fecfbf44e07583e2351df7.exe
Resource
win10v2004-20240226-en
General
-
Target
be3f0baa13fecfbf44e07583e2351df7.exe
-
Size
911KB
-
MD5
be3f0baa13fecfbf44e07583e2351df7
-
SHA1
3989229062f1393bccac518002b4625445721063
-
SHA256
168b6fbe8b8f0fa03736eeec8e5e3b5a72c049700bfe847cd7050bc97f267649
-
SHA512
9c26974164d5b4f999dffa8c5f59a32dbd6bc868498f300d44e33c4aa32576aa190a25c0a761f6421857bfe934a9ea0d955d064034e2c7ad887ac0c5d6479de6
-
SSDEEP
12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNTPPpHSgaZpCYcT2wE0XzFHV6A:Jtb20pkaCqT5TBWgNT7aZHIREwBV6A
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2752 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 MSShell32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: MSShell32.exe File opened (read-only) \??\h: MSShell32.exe File opened (read-only) \??\i: MSShell32.exe File opened (read-only) \??\m: MSShell32.exe File opened (read-only) \??\v: MSShell32.exe File opened (read-only) \??\a: MSShell32.exe File opened (read-only) \??\e: MSShell32.exe File opened (read-only) \??\g: MSShell32.exe File opened (read-only) \??\o: MSShell32.exe File opened (read-only) \??\p: MSShell32.exe File opened (read-only) \??\q: MSShell32.exe File opened (read-only) \??\x: MSShell32.exe File opened (read-only) \??\j: MSShell32.exe File opened (read-only) \??\l: MSShell32.exe File opened (read-only) \??\n: MSShell32.exe File opened (read-only) \??\r: MSShell32.exe File opened (read-only) \??\s: MSShell32.exe File opened (read-only) \??\t: MSShell32.exe File opened (read-only) \??\w: MSShell32.exe File opened (read-only) \??\z: MSShell32.exe File opened (read-only) \??\k: MSShell32.exe File opened (read-only) \??\u: MSShell32.exe File opened (read-only) \??\y: MSShell32.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2348-0-0x0000000000400000-0x00000000004EF000-memory.dmp autoit_exe behavioral1/memory/2348-4-0x0000000000400000-0x00000000004EF000-memory.dmp autoit_exe behavioral1/files/0x0009000000015c4e-6.dat autoit_exe behavioral1/memory/2956-7-0x0000000000400000-0x00000000004EF000-memory.dmp autoit_exe behavioral1/files/0x0009000000015c4e-5.dat autoit_exe behavioral1/memory/2956-14-0x0000000000400000-0x00000000004EF000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 MSShell32.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\root\SecurityCenter2 MSShell32.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\root\CIMV2 MSShell32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2100 schtasks.exe 2396 schtasks.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2100 2348 be3f0baa13fecfbf44e07583e2351df7.exe 28 PID 2348 wrote to memory of 2100 2348 be3f0baa13fecfbf44e07583e2351df7.exe 28 PID 2348 wrote to memory of 2100 2348 be3f0baa13fecfbf44e07583e2351df7.exe 28 PID 2348 wrote to memory of 2100 2348 be3f0baa13fecfbf44e07583e2351df7.exe 28 PID 2480 wrote to memory of 2956 2480 taskeng.exe 33 PID 2480 wrote to memory of 2956 2480 taskeng.exe 33 PID 2480 wrote to memory of 2956 2480 taskeng.exe 33 PID 2480 wrote to memory of 2956 2480 taskeng.exe 33 PID 2956 wrote to memory of 2396 2956 MSShell32.exe 34 PID 2956 wrote to memory of 2396 2956 MSShell32.exe 34 PID 2956 wrote to memory of 2396 2956 MSShell32.exe 34 PID 2956 wrote to memory of 2396 2956 MSShell32.exe 34 PID 2956 wrote to memory of 2752 2956 MSShell32.exe 36 PID 2956 wrote to memory of 2752 2956 MSShell32.exe 36 PID 2956 wrote to memory of 2752 2956 MSShell32.exe 36 PID 2956 wrote to memory of 2752 2956 MSShell32.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\be3f0baa13fecfbf44e07583e2351df7.exe"C:\Users\Admin\AppData\Local\Temp\be3f0baa13fecfbf44e07583e2351df7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "C:\Users\Admin\AppData\Roaming\MSShell32.exe"2⤵
- Creates scheduled task(s)
PID:2100
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE0DBB65-D417-46A1-BE5F-62867730C846} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Roaming\MSShell32.exeC:\Users\Admin\AppData\Roaming\MSShell32.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "C:\Users\Admin\AppData\Roaming\MSShell32.exe"3⤵
- Creates scheduled task(s)
PID:2396
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\MSShell32.exe" "MSShell32" ENABLE3⤵
- Modifies Windows Firewall
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
447KB
MD5597f77a017528ca54ef5204f31ef5d6f
SHA12899c7d70032125e808de71abae038acf58584c7
SHA256431f81c1780497e22d9c767b3eca4d76b747cf721015e0b8055ef66a40f14235
SHA5124dce8b2ff06a981b607dbef1b98cba20918bcdd8101c212469581d5fa325169ae7e546e0a410426398b0b97363ee157ea00f5a92bfc7425ffea462d6ef80bacc
-
Filesize
464KB
MD560526ce02cfb01bd425ffbcf86eca804
SHA1cc30c5f82273d11bca900a7b875179f3549720aa
SHA25614dbe1fe07fa6df5d4ae48c60b2259db697e82b6fa35614eb57b47f7480da5e2
SHA512c32ab437286282b9cec5aa1ea4a8ca7a5bb74aaa79498f4b0e7b3836094207eb7d11baafdc054d1dc59f753bedae834a797f5dec363548b2794458ed868aba8d
-
Filesize
15B
MD597a75a065383136b888da2884b84ceba
SHA1000ba94c7d528ddfd9aebcbfe8e64abc672852e9
SHA25646f6285ae622e0c180232e435ce0b43311c9f5b38ce43526160b993b734a3268
SHA51237d0c532719e18cf21a237cf5a1dacf90c4a6a4f41ef125da2d1ac738f2b649eaa4f759e021d4d867248a0655c2396419ff806078e8ba3debab75acfe3c5ae4b