Analysis
-
max time kernel
1800s -
max time network
1554s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-03-2024 13:44
General
-
Target
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe
-
Size
8KB
-
MD5
5ebcd7121459a0fe3155f9f6f63a1a6a
-
SHA1
edb50b9de18115b11dabe9941f5b8becf36c9999
-
SHA256
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7
-
SHA512
c8994370f6af18855851879ced2456f9c87b6c6c5f4e7bee048fafea5cbbcc17b8f91ad06c8617b7a04ecad70eb9d22babdd8a3fe0fae7269490a0beac714a00
-
SSDEEP
96:WQ48k/t9wUnsggfHGyK0/Dia4QJT9hHKwCSJAPVj3BiiZD43EXYUHvh/F:z4p/t9/UuyrL54QdAPfdGle5F
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe"C:\Users\Admin\AppData\Local\Temp\ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
-
C:\Windows\SysWOW64\REG.exeREG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ctfmon.exe /d "C:\Windows\ctfmon.exe" /t REG_SZ2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3028-0-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3028-5-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB