Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
18-07-2022 16:48
Static task
static1
Behavioral task
behavioral1
Sample
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe
Resource
win7-20220718-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe
Resource
win10v2004-20220414-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe
-
Size
448KB
-
MD5
8506f62ffe4a7bb780f9a0c127f97f80
-
SHA1
e40627e690c45ea0457738adb1c6b857aae5a2eb
-
SHA256
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331
-
SHA512
af0fa9b50c026d8c8928f340c05c35f941494866c5a52de4425ec7f22202ecf36dacf2015b9cf89a413092de645ab3d1990646feabd94388db9e508c84940fb6
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bshadesbot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bshadesbot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 916 reg.exe 300 reg.exe 2032 reg.exe 1016 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exedescription pid process Token: 1 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreateTokenPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeAssignPrimaryTokenPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeLockMemoryPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeIncreaseQuotaPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeMachineAccountPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeTcbPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSecurityPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeTakeOwnershipPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeLoadDriverPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSystemProfilePrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSystemtimePrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeProfSingleProcessPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeIncBasePriorityPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreatePagefilePrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreatePermanentPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeBackupPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeRestorePrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeShutdownPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeDebugPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeAuditPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSystemEnvironmentPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeChangeNotifyPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeRemoteShutdownPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeUndockPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSyncAgentPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeEnableDelegationPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeManageVolumePrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeImpersonatePrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreateGlobalPrivilege 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 31 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 32 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 33 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 34 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 35 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exepid process 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1960 wrote to memory of 2016 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 2016 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 2016 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 2016 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1328 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1328 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1328 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1328 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1348 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1348 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1348 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1348 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1240 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1240 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1240 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 1960 wrote to memory of 1240 1960 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 2016 wrote to memory of 2032 2016 cmd.exe reg.exe PID 2016 wrote to memory of 2032 2016 cmd.exe reg.exe PID 2016 wrote to memory of 2032 2016 cmd.exe reg.exe PID 2016 wrote to memory of 2032 2016 cmd.exe reg.exe PID 1348 wrote to memory of 300 1348 cmd.exe reg.exe PID 1348 wrote to memory of 300 1348 cmd.exe reg.exe PID 1348 wrote to memory of 300 1348 cmd.exe reg.exe PID 1348 wrote to memory of 300 1348 cmd.exe reg.exe PID 1328 wrote to memory of 916 1328 cmd.exe reg.exe PID 1328 wrote to memory of 916 1328 cmd.exe reg.exe PID 1328 wrote to memory of 916 1328 cmd.exe reg.exe PID 1328 wrote to memory of 916 1328 cmd.exe reg.exe PID 1240 wrote to memory of 1016 1240 cmd.exe reg.exe PID 1240 wrote to memory of 1016 1240 cmd.exe reg.exe PID 1240 wrote to memory of 1016 1240 cmd.exe reg.exe PID 1240 wrote to memory of 1016 1240 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe"C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bshadesbot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bshadesbot.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bshadesbot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bshadesbot.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-63-0x0000000000000000-mapping.dmp
-
memory/916-64-0x0000000000000000-mapping.dmp
-
memory/1016-65-0x0000000000000000-mapping.dmp
-
memory/1240-61-0x0000000000000000-mapping.dmp
-
memory/1328-59-0x0000000000000000-mapping.dmp
-
memory/1348-60-0x0000000000000000-mapping.dmp
-
memory/1960-57-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/2016-58-0x0000000000000000-mapping.dmp
-
memory/2032-62-0x0000000000000000-mapping.dmp