Analysis
-
max time kernel
296s -
max time network
305s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-05-2024 05:39
Behavioral task
behavioral1
Sample
mason.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
mason.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
mason.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
mason.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
mason.exe
Resource
win11-20240419-en
General
-
Target
mason.exe
-
Size
37KB
-
MD5
a0f12925c12879a07c9be4ab0af9403b
-
SHA1
4c51dd1593f37b84e8a8f862bc3331a4e346e10c
-
SHA256
085c75ce23e613be57511c5a2dc46b27ae0311ba058e7299ffdbf0226047b3e9
-
SHA512
9c33817572ff1ae66dafb7f6b589ad48fa62831738fc02240969f7df47895f55d257a35ed38f13b6d1b288d67fa68a6173c2344088bdaec880d2d4cbec538765
-
SSDEEP
384:WmOs0IiejvCVLO309QmykrtG+dA+VfwvOSifrAF+rMRTyN/0L+EcoinblneHQM3X:wFdGdkrgYRwWS0rM+rMRa8NuIuELt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4568 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mason.exedescription pid process Token: SeDebugPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe Token: SeIncBasePriorityPrivilege 2816 mason.exe Token: 33 2816 mason.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
mason.exedescription pid process target process PID 2816 wrote to memory of 4568 2816 mason.exe netsh.exe PID 2816 wrote to memory of 4568 2816 mason.exe netsh.exe PID 2816 wrote to memory of 4568 2816 mason.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mason.exe"C:\Users\Admin\AppData\Local\Temp\mason.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mason.exe" "mason.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2816-0-0x00000000737F1000-0x00000000737F2000-memory.dmpFilesize
4KB
-
memory/2816-1-0x00000000737F0000-0x0000000073DA0000-memory.dmpFilesize
5.7MB
-
memory/2816-2-0x00000000737F0000-0x0000000073DA0000-memory.dmpFilesize
5.7MB
-
memory/2816-3-0x00000000737F0000-0x0000000073DA0000-memory.dmpFilesize
5.7MB
-
memory/2816-4-0x00000000737F0000-0x0000000073DA0000-memory.dmpFilesize
5.7MB
-
memory/2816-5-0x00000000737F0000-0x0000000073DA0000-memory.dmpFilesize
5.7MB