Analysis
-
max time kernel
149s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 13:43
Behavioral task
behavioral1
Sample
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
General
-
Target
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe
-
Size
436KB
-
MD5
2a08a2f67a74e5da36720ff8872d9880
-
SHA1
924019130e2ac4a2aa4d44114da87d402ca3f4f1
-
SHA256
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78
-
SHA512
e7ccb7e606c860fb5f0186306c37849a1e2747bb7f043e7f83e2bc26e6d1083221658c7a07b390c18117554a230b8a3443f43c813426d23c146baa8e3e49ea3e
-
SSDEEP
6144:vA9x5O5TLn9BHng5HaH/bNlNvdR1NvVejs9wmQ8XUvubgj:Sx5O5TTfgajhNxVejs9wmQ8XK2G
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot-noip.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot-noip.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Processes:
resource yara_rule behavioral1/memory/1600-66-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral1/memory/1600-67-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1056 reg.exe 1084 reg.exe 320 reg.exe 1764 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exepid process 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exedescription pid process Token: 1 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreateTokenPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeAssignPrimaryTokenPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeLockMemoryPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeIncreaseQuotaPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeMachineAccountPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeTcbPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSecurityPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeTakeOwnershipPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeLoadDriverPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSystemProfilePrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSystemtimePrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeProfSingleProcessPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeIncBasePriorityPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreatePagefilePrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreatePermanentPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeBackupPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeRestorePrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeShutdownPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeDebugPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeAuditPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSystemEnvironmentPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeChangeNotifyPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeRemoteShutdownPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeUndockPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSyncAgentPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeEnableDelegationPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeManageVolumePrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeImpersonatePrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreateGlobalPrivilege 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 31 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 32 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 33 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 34 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 35 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exepid process 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1600 wrote to memory of 1596 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1596 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1596 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1596 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 896 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 896 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 896 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 896 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1020 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1020 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1020 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 1020 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 328 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 328 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 328 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1600 wrote to memory of 328 1600 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1596 wrote to memory of 320 1596 cmd.exe reg.exe PID 1596 wrote to memory of 320 1596 cmd.exe reg.exe PID 1596 wrote to memory of 320 1596 cmd.exe reg.exe PID 1596 wrote to memory of 320 1596 cmd.exe reg.exe PID 896 wrote to memory of 1764 896 cmd.exe reg.exe PID 896 wrote to memory of 1764 896 cmd.exe reg.exe PID 896 wrote to memory of 1764 896 cmd.exe reg.exe PID 896 wrote to memory of 1764 896 cmd.exe reg.exe PID 1020 wrote to memory of 1056 1020 cmd.exe reg.exe PID 1020 wrote to memory of 1056 1020 cmd.exe reg.exe PID 1020 wrote to memory of 1056 1020 cmd.exe reg.exe PID 1020 wrote to memory of 1056 1020 cmd.exe reg.exe PID 328 wrote to memory of 1084 328 cmd.exe reg.exe PID 328 wrote to memory of 1084 328 cmd.exe reg.exe PID 328 wrote to memory of 1084 328 cmd.exe reg.exe PID 328 wrote to memory of 1084 328 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe"C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-62-0x0000000000000000-mapping.dmp
-
memory/328-61-0x0000000000000000-mapping.dmp
-
memory/896-59-0x0000000000000000-mapping.dmp
-
memory/1020-60-0x0000000000000000-mapping.dmp
-
memory/1056-64-0x0000000000000000-mapping.dmp
-
memory/1084-65-0x0000000000000000-mapping.dmp
-
memory/1596-58-0x0000000000000000-mapping.dmp
-
memory/1600-57-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/1600-66-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1600-67-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1764-63-0x0000000000000000-mapping.dmp