Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 14:17
Static task
static1
Behavioral task
behavioral1
Sample
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe
Resource
win7-20240508-en
General
-
Target
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe
-
Size
77KB
-
MD5
721ce91db1511b614eda698111dcd68c
-
SHA1
34a5ef03e4fe55a3afbd59b08f60c3625d9788bc
-
SHA256
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f
-
SHA512
72de4cbd417bd85a1bc78ed82656e985190644a34707377d7b1c473f2ead4d6f64599963f93b0ab224fdbb8000959555309d33080ecdedaea6d5140e8f758d44
-
SSDEEP
1536:LgMXVCT+m0yMVABCafXAbfuLbqp0pAUg0In2aKp+cyf8FIvy5hLy5y7OW8DtbNyg:0oIT+m0xVABCafXAbWLbqp0pAUg0Y2aN
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2848 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2428 server.exe -
Loads dropped DLL 1 IoCs
Processes:
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exepid process 3008 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe Token: 33 2428 server.exe Token: SeIncBasePriorityPrivilege 2428 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exeserver.exedescription pid process target process PID 3008 wrote to memory of 2428 3008 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 3008 wrote to memory of 2428 3008 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 3008 wrote to memory of 2428 3008 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 3008 wrote to memory of 2428 3008 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 2428 wrote to memory of 2848 2428 server.exe netsh.exe PID 2428 wrote to memory of 2848 2428 server.exe netsh.exe PID 2428 wrote to memory of 2848 2428 server.exe netsh.exe PID 2428 wrote to memory of 2848 2428 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe"C:\Users\Admin\AppData\Local\Temp\405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5721ce91db1511b614eda698111dcd68c
SHA134a5ef03e4fe55a3afbd59b08f60c3625d9788bc
SHA256405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f
SHA51272de4cbd417bd85a1bc78ed82656e985190644a34707377d7b1c473f2ead4d6f64599963f93b0ab224fdbb8000959555309d33080ecdedaea6d5140e8f758d44