140c76be19d894eef457071b102c482bffe500324f46e87ec72e56eb123c97e4

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa27a9d1d5e385f7339c08f6577c20a0N.exe
Size

1.5MB
MD5

aa27a9d1d5e385f7339c08f6577c20a0
SHA1

237b94bab7b458a034599156c8374569c92fe5c8
SHA256

140c76be19d894eef457071b102c482bffe500324f46e87ec72e56eb123c97e4
SHA512

13b1bc64bdf23c2ae9b67c260c167af4969b117c19d10d8ffcf19e201c679540b6d2f4e2ea45604b85d9455713e6252003ba787a9f408deb52a1a5f40051fc45
SSDEEP

24576:N2mu1SAMIshGejqb0dVp7pHqs5qgmX76ZDCuavVEEyLHTJxow0sncYGZotrnYncm:NEI7Is4ej80bqDHXGZDCFKN90qB5rnOR

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	aa27a9d1d5e385f7339c08f6577c20a0N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\AA27A9~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AA27A9~1.EXE:*:Enabled:DNS"	aa27a9d1d5e385f7339c08f6577c20a0N.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aa27a9d1d5e385f7339c08f6577c20a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa27a9d1d5e385f7339c08f6577c20a0N.exe"	aa27a9d1d5e385f7339c08f6577c20a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aa27a9d1d5e385f7339c08f6577c20a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa27a9d1d5e385f7339c08f6577c20a0N.exe"	aa27a9d1d5e385f7339c08f6577c20a0N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\svchost.exe	aa27a9d1d5e385f7339c08f6577c20a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa27a9d1d5e385f7339c08f6577c20a0N.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe
1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	aa27a9d1d5e385f7339c08f6577c20a0N.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aa27a9d1d5e385f7339c08f6577c20a0N.exe

C:\Users\Admin\AppData\Local\Temp\aa27a9d1d5e385f7339c08f6577c20a0N.exe
"C:\Users\Admin\AppData\Local\Temp\aa27a9d1d5e385f7339c08f6577c20a0N.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.5MB

MD5
afea6657d5e48bf9a2479489d8f6cf23

SHA1
ed663d57bd9abe80d32ea63637b8ec6072f80b09

SHA256
7053c894ae9fd536c41f7fdc246ec25dd751a5821d06fa3d2709df91c1ca638a

SHA512
aba24f045ba62543a37652086a790eff21b73493cc3ebe3ba431081bd832c704a3c86343677fcf39f57595345075ed32224834679f68df3103433919de84e32a

Download Submit