Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 16:48
Static task
static1
Behavioral task
behavioral1
Sample
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe
Resource
win7-20220718-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe
Resource
win10v2004-20220414-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe
-
Size
448KB
-
MD5
8506f62ffe4a7bb780f9a0c127f97f80
-
SHA1
e40627e690c45ea0457738adb1c6b857aae5a2eb
-
SHA256
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331
-
SHA512
af0fa9b50c026d8c8928f340c05c35f941494866c5a52de4425ec7f22202ecf36dacf2015b9cf89a413092de645ab3d1990646feabd94388db9e508c84940fb6
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bshadesbot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bshadesbot.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1576 reg.exe 4052 reg.exe 3960 reg.exe 872 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exedescription pid process Token: 1 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreateTokenPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeAssignPrimaryTokenPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeLockMemoryPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeIncreaseQuotaPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeMachineAccountPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeTcbPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSecurityPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeTakeOwnershipPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeLoadDriverPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSystemProfilePrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSystemtimePrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeProfSingleProcessPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeIncBasePriorityPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreatePagefilePrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreatePermanentPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeBackupPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeRestorePrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeShutdownPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeDebugPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeAuditPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSystemEnvironmentPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeChangeNotifyPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeRemoteShutdownPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeUndockPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeSyncAgentPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeEnableDelegationPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeManageVolumePrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeImpersonatePrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: SeCreateGlobalPrivilege 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 31 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 32 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 33 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 34 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe Token: 35 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exepid process 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4620 wrote to memory of 2784 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 2784 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 2784 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 4952 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 4952 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 4952 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 4640 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 4640 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 4640 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 2152 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 2152 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4620 wrote to memory of 2152 4620 513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe cmd.exe PID 4952 wrote to memory of 872 4952 cmd.exe reg.exe PID 4952 wrote to memory of 872 4952 cmd.exe reg.exe PID 4952 wrote to memory of 872 4952 cmd.exe reg.exe PID 2784 wrote to memory of 3960 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3960 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3960 2784 cmd.exe reg.exe PID 2152 wrote to memory of 4052 2152 cmd.exe reg.exe PID 2152 wrote to memory of 4052 2152 cmd.exe reg.exe PID 2152 wrote to memory of 4052 2152 cmd.exe reg.exe PID 4640 wrote to memory of 1576 4640 cmd.exe reg.exe PID 4640 wrote to memory of 1576 4640 cmd.exe reg.exe PID 4640 wrote to memory of 1576 4640 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe"C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:3960 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\513f3d244e33a0f77985419c2c2d0206037371f30a3e812680e2f51799879331.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:872 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bshadesbot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bshadesbot.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bshadesbot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bshadesbot.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/872-137-0x0000000000000000-mapping.dmp
-
memory/1576-140-0x0000000000000000-mapping.dmp
-
memory/2152-136-0x0000000000000000-mapping.dmp
-
memory/2784-133-0x0000000000000000-mapping.dmp
-
memory/3960-138-0x0000000000000000-mapping.dmp
-
memory/4052-139-0x0000000000000000-mapping.dmp
-
memory/4640-135-0x0000000000000000-mapping.dmp
-
memory/4952-134-0x0000000000000000-mapping.dmp