Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 13:43
Behavioral task
behavioral1
Sample
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe
-
Size
436KB
-
MD5
bc58beb6c3f4ecd54cba1d7a9f2bef03
-
SHA1
14f03ee21655d66233451f26e64a2df20d00042a
-
SHA256
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d
-
SHA512
1f88e24f5168dc2ed592f4c096df067fe35381661d4f24d969c4b5831bb9281a7ee63c4c6806e439fc98d2f06bdfb6509a838652bfb65c45edb7fdf71d5c3f6f
-
SSDEEP
6144:vA9x5O5TLn9BHng5HaH/bNlNvdR1NvVejs9wmQ8XUvubgB:Sx5O5TTfgajhNxVejs9wmQ8XK2U
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot-noip.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot-noip.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Processes:
resource yara_rule behavioral2/memory/3068-132-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral2/memory/3068-144-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2040 reg.exe 1360 reg.exe 3204 reg.exe 4556 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exepid process 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exedescription pid process Token: 1 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeCreateTokenPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeAssignPrimaryTokenPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeLockMemoryPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeIncreaseQuotaPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeMachineAccountPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeTcbPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeSecurityPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeTakeOwnershipPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeLoadDriverPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeSystemProfilePrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeSystemtimePrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeProfSingleProcessPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeIncBasePriorityPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeCreatePagefilePrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeCreatePermanentPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeBackupPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeRestorePrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeShutdownPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeDebugPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeAuditPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeSystemEnvironmentPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeChangeNotifyPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeRemoteShutdownPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeUndockPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeSyncAgentPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeEnableDelegationPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeManageVolumePrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeImpersonatePrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: SeCreateGlobalPrivilege 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: 31 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: 32 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: 33 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: 34 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe Token: 35 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exepid process 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3068 wrote to memory of 4356 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4356 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4356 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4148 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4148 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4148 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4052 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4052 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4052 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4792 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4792 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 3068 wrote to memory of 4792 3068 10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe cmd.exe PID 4356 wrote to memory of 2040 4356 cmd.exe reg.exe PID 4052 wrote to memory of 3204 4052 cmd.exe reg.exe PID 4356 wrote to memory of 2040 4356 cmd.exe reg.exe PID 4356 wrote to memory of 2040 4356 cmd.exe reg.exe PID 4052 wrote to memory of 3204 4052 cmd.exe reg.exe PID 4052 wrote to memory of 3204 4052 cmd.exe reg.exe PID 4148 wrote to memory of 1360 4148 cmd.exe reg.exe PID 4148 wrote to memory of 1360 4148 cmd.exe reg.exe PID 4148 wrote to memory of 1360 4148 cmd.exe reg.exe PID 4792 wrote to memory of 4556 4792 cmd.exe reg.exe PID 4792 wrote to memory of 4556 4792 cmd.exe reg.exe PID 4792 wrote to memory of 4556 4792 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe"C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\10e0b20cef30fbd693b161cd4ce9dd6c881ca68cc7f54e133e103fe359f0850d.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-142-0x0000000000000000-mapping.dmp
-
memory/2040-140-0x0000000000000000-mapping.dmp
-
memory/3068-132-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3068-144-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3204-141-0x0000000000000000-mapping.dmp
-
memory/4052-138-0x0000000000000000-mapping.dmp
-
memory/4148-137-0x0000000000000000-mapping.dmp
-
memory/4356-136-0x0000000000000000-mapping.dmp
-
memory/4556-143-0x0000000000000000-mapping.dmp
-
memory/4792-139-0x0000000000000000-mapping.dmp