Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 03:16
Static task
static1
Behavioral task
behavioral1
Sample
473af2b09ea68fa56f19f779a55e2d60N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
473af2b09ea68fa56f19f779a55e2d60N.exe
Resource
win10v2004-20240709-en
General
-
Target
473af2b09ea68fa56f19f779a55e2d60N.exe
-
Size
328KB
-
MD5
473af2b09ea68fa56f19f779a55e2d60
-
SHA1
c9a1250443b5fe9d8cc505e7bc975c9c1b565f97
-
SHA256
7efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530
-
SHA512
a1de6aa8ebe74fcdab902efe056b3fadbca3033287407e415f9266e425074a2af7c5653cbb5a66849083f929766750c44ee4737561d54add1f1105fff74bafe4
-
SSDEEP
6144:J2XgY8FFX7Z6A/P352p4gFs/e8PeAZuon2T5T7UcIGMAQTeJ:J2X1cFx/PAp4ks/e6Fn2dEZGjQSJ
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 4 IoCs
pid Process 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 556 conhost.exe 1456 conhost.exe 2740 conhost.exe -
Loads dropped DLL 6 IoCs
pid Process 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 1768 473af2b09ea68fa56f19f779a55e2d60N.exe -
resource yara_rule behavioral1/memory/1768-460-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1768-466-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1768-508-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1456-1054-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2740-1065-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1768-1068-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Console Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2476 set thread context of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 556 set thread context of 1456 556 conhost.exe 36 PID 556 set thread context of 2740 556 conhost.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 2524 reg.exe 2520 reg.exe 2556 reg.exe 2140 reg.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: 1 2740 conhost.exe Token: SeCreateTokenPrivilege 2740 conhost.exe Token: SeAssignPrimaryTokenPrivilege 2740 conhost.exe Token: SeLockMemoryPrivilege 2740 conhost.exe Token: SeIncreaseQuotaPrivilege 2740 conhost.exe Token: SeMachineAccountPrivilege 2740 conhost.exe Token: SeTcbPrivilege 2740 conhost.exe Token: SeSecurityPrivilege 2740 conhost.exe Token: SeTakeOwnershipPrivilege 2740 conhost.exe Token: SeLoadDriverPrivilege 2740 conhost.exe Token: SeSystemProfilePrivilege 2740 conhost.exe Token: SeSystemtimePrivilege 2740 conhost.exe Token: SeProfSingleProcessPrivilege 2740 conhost.exe Token: SeIncBasePriorityPrivilege 2740 conhost.exe Token: SeCreatePagefilePrivilege 2740 conhost.exe Token: SeCreatePermanentPrivilege 2740 conhost.exe Token: SeBackupPrivilege 2740 conhost.exe Token: SeRestorePrivilege 2740 conhost.exe Token: SeShutdownPrivilege 2740 conhost.exe Token: SeDebugPrivilege 2740 conhost.exe Token: SeAuditPrivilege 2740 conhost.exe Token: SeSystemEnvironmentPrivilege 2740 conhost.exe Token: SeChangeNotifyPrivilege 2740 conhost.exe Token: SeRemoteShutdownPrivilege 2740 conhost.exe Token: SeUndockPrivilege 2740 conhost.exe Token: SeSyncAgentPrivilege 2740 conhost.exe Token: SeEnableDelegationPrivilege 2740 conhost.exe Token: SeManageVolumePrivilege 2740 conhost.exe Token: SeImpersonatePrivilege 2740 conhost.exe Token: SeCreateGlobalPrivilege 2740 conhost.exe Token: 31 2740 conhost.exe Token: 32 2740 conhost.exe Token: 33 2740 conhost.exe Token: 34 2740 conhost.exe Token: 35 2740 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe Token: SeDebugPrivilege 1456 conhost.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 556 conhost.exe 2740 conhost.exe 2740 conhost.exe 1456 conhost.exe 2740 conhost.exe 2740 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 2476 wrote to memory of 1768 2476 473af2b09ea68fa56f19f779a55e2d60N.exe 31 PID 1768 wrote to memory of 2056 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 32 PID 1768 wrote to memory of 2056 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 32 PID 1768 wrote to memory of 2056 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 32 PID 1768 wrote to memory of 2056 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 32 PID 2056 wrote to memory of 1464 2056 cmd.exe 34 PID 2056 wrote to memory of 1464 2056 cmd.exe 34 PID 2056 wrote to memory of 1464 2056 cmd.exe 34 PID 2056 wrote to memory of 1464 2056 cmd.exe 34 PID 1768 wrote to memory of 556 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 35 PID 1768 wrote to memory of 556 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 35 PID 1768 wrote to memory of 556 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 35 PID 1768 wrote to memory of 556 1768 473af2b09ea68fa56f19f779a55e2d60N.exe 35 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 1456 556 conhost.exe 36 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 556 wrote to memory of 2740 556 conhost.exe 37 PID 2740 wrote to memory of 2892 2740 conhost.exe 38 PID 2740 wrote to memory of 2892 2740 conhost.exe 38 PID 2740 wrote to memory of 2892 2740 conhost.exe 38 PID 2740 wrote to memory of 2892 2740 conhost.exe 38 PID 2740 wrote to memory of 2812 2740 conhost.exe 39 PID 2740 wrote to memory of 2812 2740 conhost.exe 39 PID 2740 wrote to memory of 2812 2740 conhost.exe 39 PID 2740 wrote to memory of 2812 2740 conhost.exe 39 PID 2740 wrote to memory of 2776 2740 conhost.exe 40 PID 2740 wrote to memory of 2776 2740 conhost.exe 40 PID 2740 wrote to memory of 2776 2740 conhost.exe 40 PID 2740 wrote to memory of 2776 2740 conhost.exe 40 PID 2740 wrote to memory of 1084 2740 conhost.exe 41 PID 2740 wrote to memory of 1084 2740 conhost.exe 41 PID 2740 wrote to memory of 1084 2740 conhost.exe 41 PID 2740 wrote to memory of 1084 2740 conhost.exe 41 PID 2776 wrote to memory of 2524 2776 cmd.exe 47 PID 2776 wrote to memory of 2524 2776 cmd.exe 47 PID 2776 wrote to memory of 2524 2776 cmd.exe 47 PID 2776 wrote to memory of 2524 2776 cmd.exe 47 PID 1084 wrote to memory of 2140 1084 cmd.exe 46 PID 1084 wrote to memory of 2140 1084 cmd.exe 46 PID 1084 wrote to memory of 2140 1084 cmd.exe 46 PID 1084 wrote to memory of 2140 1084 cmd.exe 46 PID 2892 wrote to memory of 2520 2892 cmd.exe 48 PID 2892 wrote to memory of 2520 2892 cmd.exe 48 PID 2892 wrote to memory of 2520 2892 cmd.exe 48 PID 2892 wrote to memory of 2520 2892 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YMWNI.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /f4⤵
- Adds Run key to start application
PID:1464
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f5⤵PID:2812
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f5⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2140
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD50d0a854e96bddf0e7df7f5f024674226
SHA1f45ca9c7f935422ddfb0550febdfc7a09baf2d98
SHA2565bab0b5c3ef8a28a7246854074a5a469c602a10ac803d18f2102399597d35907
SHA5128b6db387b3bb5774c691bcdd4d9f3a147e1556eee89fe1de929464510c01b14495157c14cbb355fc850b79dee500b8be7ae7a0c3b5ea0916d6eb9154f9ae73a8
-
Filesize
328KB
MD5473af2b09ea68fa56f19f779a55e2d60
SHA1c9a1250443b5fe9d8cc505e7bc975c9c1b565f97
SHA2567efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530
SHA512a1de6aa8ebe74fcdab902efe056b3fadbca3033287407e415f9266e425074a2af7c5653cbb5a66849083f929766750c44ee4737561d54add1f1105fff74bafe4
-
Filesize
328KB
MD537ed5d5ba72458e5e07eccc17d86ff2f
SHA1c44ec90c20f3908c20aa51e822462d0a760673a2
SHA256d312dbf58cbc8be5178590a88855fc7c5585a2b44358ba026ae289ddcc4bfa84
SHA5125265e40b2cc84a33876817a325424711ffd78b41b40e63e4d3f655d051f06acf40b8b38db9e2aaf3b3cf356f9694f015170d7aacf97c4c9cfc24fa543f186e19