Overview

overview

8

Static

static

3

32d1723807...7a.exe

windows7-x64

8

32d1723807...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    131s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 20:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe

  • Size

    387KB

  • MD5

    83543858c9a926114b599d8f10e7ce96

  • SHA1

    db9698e46693ceb4057649805e966be9d1952565

  • SHA256

    32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a

  • SHA512

    3ae5613a5114dcb7e514c24fa7f8beb17e8b69b888e6d09547b43ee779f391b8bafefbd7bdd7fa3aad3418aa941e7b36d6d46b7232c05d00b74dc313686246ac

  • SSDEEP

    6144:OIA9+t7Sx8ae62XkHqsctyyln1RtVDsI9iQOeN6YQ0h5:HhpSm5UKsqlnTtxkah5

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 13 IoCs
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe
    "C:\Users\Admin\AppData\Local\Temp\32d1723807b96316bd6a45919821a555d5ae35906db5e5ddc1ee1de4c25c787a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2636
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1056
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=ËùÓÐtcp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2904
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=ËùÓÐudp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4488
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=360°²È«ÎÀÊ¿-°²×°
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2480
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=360Safe.exe
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:948
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=360°²È«ÎÀʿʵʱ±£»¤
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1852
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3972
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=ËùÓÐtcp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2808
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=ËùÓÐudp protocol=TCP dir=out remoteport=10044,54360,3600,3601,10044,62715,19431,54360,49559,3600,3602,55117,3600,64240,80,49156 action=block
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4076
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=360°²È«ÎÀÊ¿-°²×°
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2412
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=360Safe.exe
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3764
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=360°²È«ÎÀʿʵʱ±£»¤
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1840
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4004

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads