32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a

Analysis

max time kernel
132s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe
Size

387KB
MD5

83543858c9a926114b599d8f10e7ce96
SHA1

db9698e46693ceb4057649805e966be9d1952565
SHA256

32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a
SHA512

3ae5613a5114dcb7e514c24fa7f8beb17e8b69b888e6d09547b43ee779f391b8bafefbd7bdd7fa3aad3418aa941e7b36d6d46b7232c05d00b74dc313686246ac
SSDEEP

6144:OIA9+t7Sx8ae62XkHqsctyyln1RtVDsI9iQOeN6YQ0h5:HhpSm5UKsqlnTtxkah5

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 13 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2824	netsh.exe
2928	netsh.exe
2944	netsh.exe
2900	netsh.exe
3068	netsh.exe
2724	netsh.exe
1716	netsh.exe
2028	netsh.exe
2132	netsh.exe
2872	netsh.exe
2228	netsh.exe
2704	netsh.exe
2940	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe
1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1716	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	30
PID 1512 wrote to memory of 1716	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	30
PID 1512 wrote to memory of 1716	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	30
PID 1512 wrote to memory of 1716	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	30
PID 1512 wrote to memory of 2028	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	31
PID 1512 wrote to memory of 2028	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	31
PID 1512 wrote to memory of 2028	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	31
PID 1512 wrote to memory of 2028	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	31
PID 1512 wrote to memory of 3068	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	33
PID 1512 wrote to memory of 3068	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	33
PID 1512 wrote to memory of 3068	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	33
PID 1512 wrote to memory of 3068	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	33
PID 1512 wrote to memory of 2228	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	35
PID 1512 wrote to memory of 2228	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	35
PID 1512 wrote to memory of 2228	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	35
PID 1512 wrote to memory of 2228	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	35
PID 1512 wrote to memory of 2824	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	37
PID 1512 wrote to memory of 2824	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	37
PID 1512 wrote to memory of 2824	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	37
PID 1512 wrote to memory of 2824	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	37
PID 1512 wrote to memory of 2928	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	38
PID 1512 wrote to memory of 2928	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	38
PID 1512 wrote to memory of 2928	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	38
PID 1512 wrote to memory of 2928	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	38
PID 1512 wrote to memory of 2944	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	39
PID 1512 wrote to memory of 2944	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	39
PID 1512 wrote to memory of 2944	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	39
PID 1512 wrote to memory of 2944	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	39
PID 1512 wrote to memory of 2704	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	44
PID 1512 wrote to memory of 2704	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	44
PID 1512 wrote to memory of 2704	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	44
PID 1512 wrote to memory of 2704	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	44
PID 1512 wrote to memory of 2132	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	45
PID 1512 wrote to memory of 2132	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	45
PID 1512 wrote to memory of 2132	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	45
PID 1512 wrote to memory of 2132	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	45
PID 1512 wrote to memory of 2900	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	47
PID 1512 wrote to memory of 2900	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	47
PID 1512 wrote to memory of 2900	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	47
PID 1512 wrote to memory of 2900	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	47
PID 1512 wrote to memory of 2724	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	48
PID 1512 wrote to memory of 2724	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	48
PID 1512 wrote to memory of 2724	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	48
PID 1512 wrote to memory of 2724	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	48
PID 1512 wrote to memory of 2940	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	49
PID 1512 wrote to memory of 2940	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	49
PID 1512 wrote to memory of 2940	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	49
PID 1512 wrote to memory of 2940	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	49
PID 1512 wrote to memory of 2872	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	50
PID 1512 wrote to memory of 2872	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	50
PID 1512 wrote to memory of 2872	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	50
PID 1512 wrote to memory of 2872	1512	32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe	50

C:\Users\Admin\AppData\Local\Temp\32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe
"C:\Users\Admin\AppData\Local\Temp\32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=ËùÓÐtcp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=ËùÓÐudp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=360°²È«ÎÀÊ¿-°²×°
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=360Safe.exe
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=360°²È«ÎÀÊ¿ÊµÊ±±£»¤
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=ËùÓÐtcp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=ËùÓÐudp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=360°²È«ÎÀÊ¿-°²×°
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=360Safe.exe
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=360°²È«ÎÀÊ¿ÊµÊ±±£»¤
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2872