Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
0ca65873bab019cc2aab4ac90d391250N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0ca65873bab019cc2aab4ac90d391250N.exe
Resource
win10v2004-20240802-en
General
-
Target
0ca65873bab019cc2aab4ac90d391250N.exe
-
Size
2.8MB
-
MD5
0ca65873bab019cc2aab4ac90d391250
-
SHA1
45bd6825072b74a0b6882b90734d5c1d5d315722
-
SHA256
0b4a29371503050f6a8eef4f22ba7efa31a1d4237879465a8af6193db95f878c
-
SHA512
19b9df5d9a99ce6d2183ced8923e0deb0a871eba7522c724d0ffee9d4d69958cee0a65937a24e6b2d89933d23666cbcb8ac84868ddc107da625f87e8166e85dd
-
SSDEEP
49152:STT7fhc1mdzO7efDi++aitzWL/lg/4v9JPwapWO5GT/1DNEQ9Taw0Q/Tlk24U:SP7+11kH+a24dg/4vkaEzrJyhw0Ok2
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 0ca65873bab019cc2aab4ac90d391250N.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 0ca65873bab019cc2aab4ac90d391250N.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 0ca65873bab019cc2aab4ac90d391250N.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 0ca65873bab019cc2aab4ac90d391250N.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 0ca65873bab019cc2aab4ac90d391250N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2208 0ca65873bab019cc2aab4ac90d391250N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1088 2208 0ca65873bab019cc2aab4ac90d391250N.exe 31 PID 2208 wrote to memory of 1088 2208 0ca65873bab019cc2aab4ac90d391250N.exe 31 PID 2208 wrote to memory of 1088 2208 0ca65873bab019cc2aab4ac90d391250N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca65873bab019cc2aab4ac90d391250N.exe"C:\Users\Admin\AppData\Local\Temp\0ca65873bab019cc2aab4ac90d391250N.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2208 -s 2322⤵PID:1088
-