d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71

Analysis

max time kernel
142s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Size

45KB
MD5

3d3aedfaeaf39544ff74fe6fe4541fc2
SHA1

ad4135e142b3e9564d90d96eca0c21e17f0de542
SHA256

d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
SHA512

703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581
SSDEEP

768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G

Score

9^/10

evasion persistence privilege_escalation upx

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4804-1-0x0000000010000000-0x000000001001A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/4088-8-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe	UPX

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4856 netsh.exe
2436 netsh.exe

pid	process
4856	netsh.exe
2436	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

Executes dropped EXE 2 IoCs

Processes:

mscorsvw.exemscorsvw.exe

pid process

4088 mscorsvw.exe
3280 mscorsvw.exe

pid	process
4088	mscorsvw.exe
3280	mscorsvw.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4088-8-0x0000000000400000-0x0000000000420000-memory.dmp	upx
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe	upx

Creates a Windows Service
persistence

Drops file in System32 directory 4 IoCs

Processes:

mscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mscorsvw.exe

Drops file in Windows directory 2 IoCs

Processes:

d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
File created	C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 30 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mscorsvw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mscorsvw.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

pid process

4804 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

pid	process
4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exemscorsvw.exe

description	pid	process	target process
PID 4804 wrote to memory of 2436	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2436	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2436	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4856	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4856	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4856	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4844	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4844	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4844	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2004	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2004	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2004	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4632	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4632	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4632	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4572	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4572	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4572	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2588	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2588	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 2588	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 1992	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 1992	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 1992	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4416	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4416	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 4416	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 3868	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 3868	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4804 wrote to memory of 3868	4804	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe	netsh.exe
PID 4088 wrote to memory of 3280	4088	mscorsvw.exe	mscorsvw.exe
PID 4088 wrote to memory of 3280	4088	mscorsvw.exe	mscorsvw.exe
PID 4088 wrote to memory of 3280	4088	mscorsvw.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
"C:\Users\Admin\AppData\Local\Temp\d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2436

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4856

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4844

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2004

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4632

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4572

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2588

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1992

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4416

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3868

C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe
C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe Win7
2⤵
- Executes dropped EXE
PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe
Filesize
20.0MB

MD5
09a2fe09dc328d0061c70b7355af4226

SHA1
615f8a9693e1b8843981c0e95895a9316cda2f64

SHA256
dacfaf5624e25339114f22694d69120621c779d091a93c38cf4ed71f4f64aa85

SHA512
2c17356250f38aef17d2e0ce1d7ea73600e53931bc85844d215fa22b665626186560cd3d344559c425e0a97fab4be8aa66bc9e9d2728815cf46b4edd391d2ef2

Download Submit
memory/4088-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4804-1-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/4804-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download