Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
Resource
win10v2004-20240802-en
General
-
Target
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
-
Size
4.8MB
-
MD5
e921ce4ed0ec9ab7f58724d7b2f4e377
-
SHA1
8a4fc01c939d411af40ee3df2f23b6bcec4e989b
-
SHA256
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139
-
SHA512
ae845092c0456367990c511b6bdb3107689c14312f71b11aeaf18051fff2f565d29d0204bfbda9288e5185f274bc78f292bdfea3f0cd7f103aaee2ae02ed43c2
-
SSDEEP
98304:wWoj48rmA6lPPvKStJwzTgJceL/v/DDrIM5PgZLHR6a0Qxk:us8r3AH7nwvwFLvHsMOUa0S
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
Processes:
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Drops file in System32 directory 4 IoCs
Processes:
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exepid process 4592 a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe 4592 a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe 4592 a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe 4592 a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe"C:\Users\Admin\AppData\Local\Temp\a32d49c89b000373d646acf337f5ad9aa65560f7804b46de3c846fbed77e3139.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4564