Analysis
-
max time kernel
142s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:20
Behavioral task
behavioral1
Sample
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Resource
win10v2004-20240508-en
General
-
Target
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
-
Size
45KB
-
MD5
3d3aedfaeaf39544ff74fe6fe4541fc2
-
SHA1
ad4135e142b3e9564d90d96eca0c21e17f0de542
-
SHA256
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
-
SHA512
703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581
-
SSDEEP
768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G
Malware Config
Signatures
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4804-1-0x0000000010000000-0x000000001001A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
UPX dump on OEP (original entry point) 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/4088-8-0x0000000000400000-0x0000000000420000-memory.dmp UPX C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe UPX -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4856 netsh.exe 2436 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe -
Executes dropped EXE 2 IoCs
Processes:
mscorsvw.exemscorsvw.exepid process 4088 mscorsvw.exe 3280 mscorsvw.exe -
Processes:
resource yara_rule behavioral2/memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4088-8-0x0000000000400000-0x0000000000420000-memory.dmp upx C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe upx -
Creates a Windows Service
-
Drops file in System32 directory 4 IoCs
Processes:
mscorsvw.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mscorsvw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mscorsvw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mscorsvw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mscorsvw.exe -
Drops file in Windows directory 2 IoCs
Processes:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe File created C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 30 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mscorsvw.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mscorsvw.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exepid process 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exemscorsvw.exedescription pid process target process PID 4804 wrote to memory of 2436 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2436 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2436 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4856 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4856 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4856 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4844 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4844 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4844 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2004 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2004 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2004 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4632 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4632 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4632 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4572 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4572 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4572 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2588 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2588 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 2588 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 1992 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 1992 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 1992 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4416 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4416 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 4416 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 3868 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 3868 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4804 wrote to memory of 3868 4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe netsh.exe PID 4088 wrote to memory of 3280 4088 mscorsvw.exe mscorsvw.exe PID 4088 wrote to memory of 3280 4088 mscorsvw.exe mscorsvw.exe PID 4088 wrote to memory of 3280 4088 mscorsvw.exe mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe"C:\Users\Admin\AppData\Local\Temp\d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add policy name=Block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter12⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion12⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exeC:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exeC:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe Win72⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exeFilesize
20.0MB
MD509a2fe09dc328d0061c70b7355af4226
SHA1615f8a9693e1b8843981c0e95895a9316cda2f64
SHA256dacfaf5624e25339114f22694d69120621c779d091a93c38cf4ed71f4f64aa85
SHA5122c17356250f38aef17d2e0ce1d7ea73600e53931bc85844d215fa22b665626186560cd3d344559c425e0a97fab4be8aa66bc9e9d2728815cf46b4edd391d2ef2
-
memory/4088-8-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4804-1-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB