49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053

General

Target

49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Size

98KB
MD5

cec3895ea3c9b342846a6e353a0d469c
SHA1

49678bc64c8970592bce0600e1f959d044648220
SHA256

49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053
SHA512

9625d099edd496d17938a7ea5fc17a685e186fb1874ec7d782257581a84f3c73e3490e20ce86ffdacf201d8f9a57fab94cc2c275b410bd19669570a82ec8a227
SSDEEP

1536:6AXHYCB9jgDYwrFoKZvRLITR9VVB3F3DsjZqO6O/XQJi+sGEzHXNaj5aKY:BHYC/ZKJidTVzYqO6OoJiMOHXNeaK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\rundll32.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Service Host Process for Windows = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Client Server Runtime Process = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	csrss.exe
2292	csrss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\rundll32.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\System32\\rundll32.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Process for Windows = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host Process for Windows = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4924 set thread context of 2292	4924	csrss.exe	90

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 4908 wrote to memory of 1328	4908	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	82
PID 1328 wrote to memory of 4924	1328	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	83
PID 1328 wrote to memory of 4924	1328	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	83
PID 1328 wrote to memory of 4924	1328	49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe	83
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90
PID 4924 wrote to memory of 2292	4924	csrss.exe	90

C:\Users\Admin\AppData\Local\Temp\49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
"C:\Users\Admin\AppData\Local\Temp\49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe
  "C:\Users\Admin\AppData\Local\Temp\49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    C:\Users\Admin\AppData\Roaming\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Users\Admin\AppData\Roaming\csrss.exe
      "C:\Users\Admin\AppData\Roaming\csrss.exe"
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Adds Run key to start application
      PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System32\rundll32.exe

Filesize
98KB

MD5
cec3895ea3c9b342846a6e353a0d469c

SHA1
49678bc64c8970592bce0600e1f959d044648220

SHA256
49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053

SHA512
9625d099edd496d17938a7ea5fc17a685e186fb1874ec7d782257581a84f3c73e3490e20ce86ffdacf201d8f9a57fab94cc2c275b410bd19669570a82ec8a227

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
98KB

MD5
cec3895ea3c9b342846a6e353a0d469c

SHA1
49678bc64c8970592bce0600e1f959d044648220

SHA256
49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053

SHA512
9625d099edd496d17938a7ea5fc17a685e186fb1874ec7d782257581a84f3c73e3490e20ce86ffdacf201d8f9a57fab94cc2c275b410bd19669570a82ec8a227

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
98KB

MD5
cec3895ea3c9b342846a6e353a0d469c

SHA1
49678bc64c8970592bce0600e1f959d044648220

SHA256
49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053

SHA512
9625d099edd496d17938a7ea5fc17a685e186fb1874ec7d782257581a84f3c73e3490e20ce86ffdacf201d8f9a57fab94cc2c275b410bd19669570a82ec8a227

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
98KB

MD5
cec3895ea3c9b342846a6e353a0d469c

SHA1
49678bc64c8970592bce0600e1f959d044648220

SHA256
49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053

SHA512
9625d099edd496d17938a7ea5fc17a685e186fb1874ec7d782257581a84f3c73e3490e20ce86ffdacf201d8f9a57fab94cc2c275b410bd19669570a82ec8a227

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
98KB

MD5
cec3895ea3c9b342846a6e353a0d469c

SHA1
49678bc64c8970592bce0600e1f959d044648220

SHA256
49b979552fe7bcca940f3670676f0b01bc03a4bf892783e82ee17e0941865053

SHA512
9625d099edd496d17938a7ea5fc17a685e186fb1874ec7d782257581a84f3c73e3490e20ce86ffdacf201d8f9a57fab94cc2c275b410bd19669570a82ec8a227

Download Submit
memory/1328-136-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1328-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1328-142-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1328-135-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1328-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads