Overview

overview

7

Static

static

3

8adc4888f1...00.exe

windows7-x64

3

8adc4888f1...00.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8adc4888f11ccbeab73928c5f059c77205a7ce146e2d1a747fc99a0a8decb000.exe

  • Size

    16KB

  • MD5

    b51320bb9f7b28568645aab5617e7067

  • SHA1

    58fb6894bc6d25e333fcf2afadf512c7b2b3f0d3

  • SHA256

    8adc4888f11ccbeab73928c5f059c77205a7ce146e2d1a747fc99a0a8decb000

  • SHA512

    375cebeb7a4f8393e1e3f2ad4485814da929c605f02ac2493aa4538e1b229d88175f9c56129eca03d44ebfbf9c77dbeddf9fe8ed24049f65f709b8aeeadac10d

  • SSDEEP

    384:amhf8k06sQyZNpa63IZ0ivDk5X7Isblb4Ll1nLdnWPO:RsQyZNp/3IZ0+Dk5X7Isblb4LlVdnN

Score
3/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8adc4888f11ccbeab73928c5f059c77205a7ce146e2d1a747fc99a0a8decb000.exe
    "C:\Users\Admin\AppData\Local\Temp\8adc4888f11ccbeab73928c5f059c77205a7ce146e2d1a747fc99a0a8decb000.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\i0od3BLh.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\system32\netsh.exe
        netsh ipsec static exportpolicy ip.ipsec
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\system32\netsh.exe
        netsh ipsec static delete policy name=abandon
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:1096
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add policy name=abandon
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2624
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filterlist name=denyip
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2744
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filter filterlist=denyip srcaddr=0.0.0.0 dstaddr=216.239.36.21
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2668
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filter filterlist=denyip srcaddr=0.0.0.0 dstaddr=61.143.60.83
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2100
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filter filterlist=denyip srcaddr=0.0.0.0 dstaddr=112.91.151.37
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2548
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filter filterlist=denyip srcaddr=0.0.0.0 dstaddr=14.136.207.42
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2708
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filter filterlist=denyip srcaddr=0.0.0.0 dstaddr=61.143.60.84
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2784
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add filteraction name=denyact action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2628
      • C:\Windows\system32\netsh.exe
        netsh ipsec static add rule name=killu policy=abandon filterlist=denyip filteraction=denyact
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2544
      • C:\Windows\system32\netsh.exe
        netsh ipsec static set policy name=abandon assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\i0od3BLh.bat
    Filesize

    10KB

    MD5

    820f8041f0db5eb4c4208da13e90dabd

    SHA1

    ffc81fd62ac8b7c689ff4537644a3147ee1e25f1

    SHA256

    7d32883a14c09c558940ea9cb998a3aafb40613e334e6108c3863d25c05fc6e1

    SHA512

    d1cb69cc6470354d2e71f5ba10c1640c46a7eb51d743abd72a1cb464c2aefc3c7ee20983082336e6e68c5fc5684a455d0cd97e1c170d63ea340e34b7a251923e

    Download Submit

  • memory/2244-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-1-0x00000000000A0000-0x00000000000AA000-memory.dmp

    Filesize

    40KB

    Download