Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 12:31
Static task
static1
Behavioral task
behavioral1
Sample
9312ea4eeda1a918922ae99a21aa1718.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9312ea4eeda1a918922ae99a21aa1718.exe
Resource
win10v2004-20240802-en
General
-
Target
9312ea4eeda1a918922ae99a21aa1718.exe
-
Size
2.7MB
-
MD5
9312ea4eeda1a918922ae99a21aa1718
-
SHA1
14985e90b26b71b219116dd072a8ed6055aa5356
-
SHA256
642b2c1febb5c0e7ba9afeb45b66b9baa7b02d0b24f8b8a3477e3bfdeffa5d6f
-
SHA512
fa1727bb597f93241abe718d1cb107c3a8e52dee6a2fc004f426215bda3aace50c1293a24bb5d670c1fd81dae2596623e4ae37bef4c0fc39c68af80d4362d625
-
SSDEEP
49152:TziCEgBRW2m7P2m9V0yO3xoNhEQfWNpp9ZM2wdXywZ12ufVKkAIbZnADTFV41b6M:TuCdm7PL9GyO3xwhEGWjXjju12OVYIVk
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
Processes:
9312ea4eeda1a918922ae99a21aa1718.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 9312ea4eeda1a918922ae99a21aa1718.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Drops file in System32 directory 4 IoCs
Processes:
9312ea4eeda1a918922ae99a21aa1718.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 9312ea4eeda1a918922ae99a21aa1718.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 9312ea4eeda1a918922ae99a21aa1718.exe File opened for modification C:\Windows\System32\GroupPolicy 9312ea4eeda1a918922ae99a21aa1718.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 9312ea4eeda1a918922ae99a21aa1718.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9312ea4eeda1a918922ae99a21aa1718.exepid process 3024 9312ea4eeda1a918922ae99a21aa1718.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9312ea4eeda1a918922ae99a21aa1718.exedescription pid process target process PID 3024 wrote to memory of 2956 3024 9312ea4eeda1a918922ae99a21aa1718.exe WerFault.exe PID 3024 wrote to memory of 2956 3024 9312ea4eeda1a918922ae99a21aa1718.exe WerFault.exe PID 3024 wrote to memory of 2956 3024 9312ea4eeda1a918922ae99a21aa1718.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9312ea4eeda1a918922ae99a21aa1718.exe"C:\Users\Admin\AppData\Local\Temp\9312ea4eeda1a918922ae99a21aa1718.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3024 -s 4042⤵PID:2956