Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 13:59
Behavioral task
behavioral1
Sample
eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe
-
Size
20KB
-
MD5
f484c63d37b4bae82e9234175a9185e7
-
SHA1
9fc47f0336a530b7234deb6a1cb8312501aee398
-
SHA256
eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4
-
SHA512
e7938fb2a0c6d86483a9e59f0e3e3ceda6895e517738d0c4bfb999eb5e4de00f2b4ca347721d8cd513b2c3b70dd233d86ac2ba139f39da81d5cfa0526240d0dc
-
SSDEEP
384:1dvTbdBkQQlBNzawKN2SrZ5XMm22clzY9bjzFRBp6YFubsI3eLGvm:1d7bdjOpabwSraPYr2EIuLw
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe:*:Enabled:Windows Services" eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe -
Executes dropped EXE 1 IoCs
pid Process 4188 winrst.exe -
resource yara_rule behavioral2/memory/392-132-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/files/0x0008000000022f67-134.dat upx behavioral2/files/0x0008000000022f67-135.dat upx behavioral2/memory/392-136-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4188-137-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/392-138-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/4188-139-0x0000000000400000-0x0000000000454000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "winrst.exe" eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winrst.exe eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe File opened for modification C:\Windows\winrst.exe eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4188 winrst.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 392 wrote to memory of 4188 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 78 PID 392 wrote to memory of 4188 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 78 PID 392 wrote to memory of 4188 392 eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe 78 PID 4188 wrote to memory of 3044 4188 winrst.exe 29 PID 4188 wrote to memory of 3044 4188 winrst.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe"C:\Users\Admin\AppData\Local\Temp\eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4.exe"2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\winrst.exe"C:\Windows\winrst.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4188
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5f484c63d37b4bae82e9234175a9185e7
SHA19fc47f0336a530b7234deb6a1cb8312501aee398
SHA256eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4
SHA512e7938fb2a0c6d86483a9e59f0e3e3ceda6895e517738d0c4bfb999eb5e4de00f2b4ca347721d8cd513b2c3b70dd233d86ac2ba139f39da81d5cfa0526240d0dc
-
Filesize
20KB
MD5f484c63d37b4bae82e9234175a9185e7
SHA19fc47f0336a530b7234deb6a1cb8312501aee398
SHA256eb031f364fc55eebd422a6a2e3397d81e81c8a09bb8fcd03c6d7edab041ed5f4
SHA512e7938fb2a0c6d86483a9e59f0e3e3ceda6895e517738d0c4bfb999eb5e4de00f2b4ca347721d8cd513b2c3b70dd233d86ac2ba139f39da81d5cfa0526240d0dc