a9b14308bee35868fb56b7b1209cf67a54fc5b9af96f4f707a2131ab85258b71

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf5c0f7e725161c363aa2fe5a1024736.exe
Size

10KB
MD5

bf5c0f7e725161c363aa2fe5a1024736
SHA1

7c382e58cb13b13799173d7ba4cb7d520b9ee82b
SHA256

a9b14308bee35868fb56b7b1209cf67a54fc5b9af96f4f707a2131ab85258b71
SHA512

7ac6419ecf81083fbd55f9347b42c7d47e107527239811c70e5ad9444d44b52b54fa30b2b055b5e9dec600be4e5528b751f5b0ce3214ba1cdb96bcc0abfa1a3c
SSDEEP

192:zbhUuffOM0AtoZiPVuirQ5aNbr2g1Mhsv8SvhQs7:5fD0AtqiPQI4aNb6po8SvuK

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bf5c0f7e725161c363aa2fe5a1024736.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2740	powershell.exe
2024	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	bf5c0f7e725161c363aa2fe5a1024736.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeIncreaseQuotaPrivilege	2740	powershell.exe
Token: SeSecurityPrivilege	2740	powershell.exe
Token: SeTakeOwnershipPrivilege	2740	powershell.exe
Token: SeLoadDriverPrivilege	2740	powershell.exe
Token: SeSystemProfilePrivilege	2740	powershell.exe
Token: SeSystemtimePrivilege	2740	powershell.exe
Token: SeProfSingleProcessPrivilege	2740	powershell.exe
Token: SeIncBasePriorityPrivilege	2740	powershell.exe
Token: SeCreatePagefilePrivilege	2740	powershell.exe
Token: SeBackupPrivilege	2740	powershell.exe
Token: SeRestorePrivilege	2740	powershell.exe
Token: SeShutdownPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeSystemEnvironmentPrivilege	2740	powershell.exe
Token: SeRemoteShutdownPrivilege	2740	powershell.exe
Token: SeUndockPrivilege	2740	powershell.exe
Token: SeManageVolumePrivilege	2740	powershell.exe
Token: 33	2740	powershell.exe
Token: 34	2740	powershell.exe
Token: 35	2740	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	powershell.exe
Token: SeSecurityPrivilege	2024	powershell.exe
Token: SeTakeOwnershipPrivilege	2024	powershell.exe
Token: SeLoadDriverPrivilege	2024	powershell.exe
Token: SeSystemProfilePrivilege	2024	powershell.exe
Token: SeSystemtimePrivilege	2024	powershell.exe
Token: SeProfSingleProcessPrivilege	2024	powershell.exe
Token: SeIncBasePriorityPrivilege	2024	powershell.exe
Token: SeCreatePagefilePrivilege	2024	powershell.exe
Token: SeBackupPrivilege	2024	powershell.exe
Token: SeRestorePrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeSystemEnvironmentPrivilege	2024	powershell.exe
Token: SeRemoteShutdownPrivilege	2024	powershell.exe
Token: SeUndockPrivilege	2024	powershell.exe
Token: SeManageVolumePrivilege	2024	powershell.exe
Token: 33	2024	powershell.exe
Token: 34	2024	powershell.exe
Token: 35	2024	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2624	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	28
PID 1756 wrote to memory of 2624	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	28
PID 1756 wrote to memory of 2624	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	28
PID 1756 wrote to memory of 2624	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	28
PID 1756 wrote to memory of 2740	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	30
PID 1756 wrote to memory of 2740	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	30
PID 1756 wrote to memory of 2740	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	30
PID 1756 wrote to memory of 2740	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	30
PID 1756 wrote to memory of 2024	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	33
PID 1756 wrote to memory of 2024	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	33
PID 1756 wrote to memory of 2024	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	33
PID 1756 wrote to memory of 2024	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	33
PID 1756 wrote to memory of 2716	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	35
PID 1756 wrote to memory of 2716	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	35
PID 1756 wrote to memory of 2716	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	35
PID 1756 wrote to memory of 2716	1756	bf5c0f7e725161c363aa2fe5a1024736.exe	35

C:\Users\Admin\AppData\Local\Temp\bf5c0f7e725161c363aa2fe5a1024736.exe
"C:\Users\Admin\AppData\Local\Temp\bf5c0f7e725161c363aa2fe5a1024736.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" adv firewall set opmode mode disable
  2⤵
  PID:2624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -executionpolicy bypass -command .\remotec.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -executionpolicy bypass -command .\remotec.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -executionpolicy bypass -command .\remotec.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\remotec.ps1

Filesize
25B

MD5
ef46a0a8876f0087d7b911ea37bad630

SHA1
bcbe2fe5d1bbc93b7cfc22c3a6690f707bdb7e85

SHA256
03b99330adae893d39abf90ad08fe812f6469e6159a76ad430f8dde926282ee5

SHA512
951ee7ef94c510f27236c0af37ff052cf8ed0eac966be9b3096067f2353b848c6e4f0a3475702f7215fe6c3dac4e1e799e0b05a41d13a3ec2f4447728c83a981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fcd428058d89bb3290b05a3d14cebfa9

SHA1
d7ef879ed6f76bc437b4eb7eed051dd41da4062f

SHA256
4877f648ca4c12c81cc81652fcff4ab9715ff1ba0e55422c4acc1eee365b2a2f

SHA512
6cd95f9555c48c7a90b06731f62471897f0875999cf92e81c873a39c84fa8dcda9200da28c5f4782beabd7430eb5eb154afce4591d401655950c51fcac166336

Download Submit
memory/1756-0-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1756-1-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-50-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-4-0x0000000005030000-0x0000000005070000-memory.dmp

Filesize
256KB

Download
memory/1756-18-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-19-0x0000000005030000-0x0000000005070000-memory.dmp

Filesize
256KB

Download
memory/2024-31-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2024-29-0x0000000070300000-0x00000000708AB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-30-0x0000000070300000-0x00000000708AB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-33-0x0000000070300000-0x00000000708AB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-43-0x00000000702E0000-0x000000007088B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-44-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2716-45-0x00000000702E0000-0x000000007088B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-46-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2716-48-0x00000000702E0000-0x000000007088B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-20-0x0000000070330000-0x00000000708DB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-16-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2740-14-0x0000000070330000-0x00000000708DB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-15-0x0000000070330000-0x00000000708DB000-memory.dmp

Filesize
5.7MB

Download