10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d

General

Target

10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Size

436KB
MD5

bc58beb6c3f4ecd54cba1d7a9f2bef03
SHA1

14f03ee21655d66233451f26e64a2df20d00042a
SHA256

10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d
SHA512

1f88e24f5168dc2ed592f4c096df067fe35381661d4f24d969c4b5831bb9281a7ee63c4c6806e439fc98d2f06bdfb6509a838652bfb65c45edb7fdf71d5c3f6f
SSDEEP

6144:vA9x5O5TLn9BHng5HaH/bNlNvdR1NvVejs9wmQ8XUvubgB:Sx5O5TTfgajhNxVejs9wmQ8XK2U

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot-noip.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot-noip.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3068-132-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3068-144-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2040 reg.exe
1360 reg.exe
3204 reg.exe
4556 reg.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe

pid process

3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe

pid	process
2040	reg.exe
1360	reg.exe
3204	reg.exe
4556	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe

description	pid	process
Token: 1	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeCreateTokenPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeAssignPrimaryTokenPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeLockMemoryPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeIncreaseQuotaPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeMachineAccountPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeTcbPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeSecurityPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeTakeOwnershipPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeLoadDriverPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeSystemProfilePrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeSystemtimePrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeProfSingleProcessPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeIncBasePriorityPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeCreatePagefilePrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeCreatePermanentPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeBackupPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeRestorePrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeShutdownPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeDebugPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeAuditPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeSystemEnvironmentPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeChangeNotifyPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeRemoteShutdownPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeUndockPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeSyncAgentPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeEnableDelegationPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeManageVolumePrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeImpersonatePrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: SeCreateGlobalPrivilege	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: 31	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: 32	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: 33	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: 34	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Token: 35	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe

pid	process
3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 4356	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4356	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4356	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4148	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4148	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4148	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4052	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4052	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4052	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4792	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4792	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 3068 wrote to memory of 4792	3068	10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe	cmd.exe
PID 4356 wrote to memory of 2040	4356	cmd.exe	reg.exe
PID 4052 wrote to memory of 3204	4052	cmd.exe	reg.exe
PID 4356 wrote to memory of 2040	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 2040	4356	cmd.exe	reg.exe
PID 4052 wrote to memory of 3204	4052	cmd.exe	reg.exe
PID 4052 wrote to memory of 3204	4052	cmd.exe	reg.exe
PID 4148 wrote to memory of 1360	4148	cmd.exe	reg.exe
PID 4148 wrote to memory of 1360	4148	cmd.exe	reg.exe
PID 4148 wrote to memory of 1360	4148	cmd.exe	reg.exe
PID 4792 wrote to memory of 4556	4792	cmd.exe	reg.exe
PID 4792 wrote to memory of 4556	4792	cmd.exe	reg.exe
PID 4792 wrote to memory of 4556	4792	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
"C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe:*:Enabled:Windows Messanger" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe:*:Enabled:Windows Messanger" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-142-0x0000000000000000-mapping.dmp

Download
memory/2040-140-0x0000000000000000-mapping.dmp

Download
memory/3068-132-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3068-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3204-141-0x0000000000000000-mapping.dmp

Download
memory/4052-138-0x0000000000000000-mapping.dmp

Download
memory/4148-137-0x0000000000000000-mapping.dmp

Download
memory/4356-136-0x0000000000000000-mapping.dmp

Download
memory/4556-143-0x0000000000000000-mapping.dmp

Download
memory/4792-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads