Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe
Resource
win7-20240508-en
General
-
Target
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe
-
Size
77KB
-
MD5
721ce91db1511b614eda698111dcd68c
-
SHA1
34a5ef03e4fe55a3afbd59b08f60c3625d9788bc
-
SHA256
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f
-
SHA512
72de4cbd417bd85a1bc78ed82656e985190644a34707377d7b1c473f2ead4d6f64599963f93b0ab224fdbb8000959555309d33080ecdedaea6d5140e8f758d44
-
SSDEEP
1536:LgMXVCT+m0yMVABCafXAbfuLbqp0pAUg0In2aKp+cyf8FIvy5hLy5y7OW8DtbNyg:0oIT+m0xVABCafXAbWLbqp0pAUg0Y2aN
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2720 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2816 server.exe -
Loads dropped DLL 1 IoCs
Processes:
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exepid process 2412 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe Token: 33 2816 server.exe Token: SeIncBasePriorityPrivilege 2816 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exeserver.exedescription pid process target process PID 2412 wrote to memory of 2816 2412 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 2412 wrote to memory of 2816 2412 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 2412 wrote to memory of 2816 2412 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 2412 wrote to memory of 2816 2412 405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe server.exe PID 2816 wrote to memory of 2720 2816 server.exe netsh.exe PID 2816 wrote to memory of 2720 2816 server.exe netsh.exe PID 2816 wrote to memory of 2720 2816 server.exe netsh.exe PID 2816 wrote to memory of 2720 2816 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe"C:\Users\Admin\AppData\Local\Temp\405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5721ce91db1511b614eda698111dcd68c
SHA134a5ef03e4fe55a3afbd59b08f60c3625d9788bc
SHA256405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f
SHA51272de4cbd417bd85a1bc78ed82656e985190644a34707377d7b1c473f2ead4d6f64599963f93b0ab224fdbb8000959555309d33080ecdedaea6d5140e8f758d44