Analysis
-
max time kernel
169s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 13:43
Behavioral task
behavioral1
Sample
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
General
-
Target
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe
-
Size
436KB
-
MD5
2a08a2f67a74e5da36720ff8872d9880
-
SHA1
924019130e2ac4a2aa4d44114da87d402ca3f4f1
-
SHA256
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78
-
SHA512
e7ccb7e606c860fb5f0186306c37849a1e2747bb7f043e7f83e2bc26e6d1083221658c7a07b390c18117554a230b8a3443f43c813426d23c146baa8e3e49ea3e
-
SSDEEP
6144:vA9x5O5TLn9BHng5HaH/bNlNvdR1NvVejs9wmQ8XUvubgj:Sx5O5TTfgajhNxVejs9wmQ8XK2G
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot-noip.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot-noip.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Processes:
resource yara_rule behavioral2/memory/1640-132-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral2/memory/1640-133-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 4736 reg.exe 1052 reg.exe 1404 reg.exe 1576 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exepid process 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exedescription pid process Token: 1 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreateTokenPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeAssignPrimaryTokenPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeLockMemoryPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeIncreaseQuotaPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeMachineAccountPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeTcbPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSecurityPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeTakeOwnershipPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeLoadDriverPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSystemProfilePrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSystemtimePrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeProfSingleProcessPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeIncBasePriorityPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreatePagefilePrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreatePermanentPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeBackupPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeRestorePrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeShutdownPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeDebugPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeAuditPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSystemEnvironmentPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeChangeNotifyPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeRemoteShutdownPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeUndockPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeSyncAgentPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeEnableDelegationPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeManageVolumePrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeImpersonatePrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: SeCreateGlobalPrivilege 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 31 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 32 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 33 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 34 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe Token: 35 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exepid process 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1640 wrote to memory of 4840 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4840 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4840 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4632 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4632 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4632 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4556 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4556 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4556 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4628 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4628 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 1640 wrote to memory of 4628 1640 19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe cmd.exe PID 4556 wrote to memory of 4736 4556 cmd.exe reg.exe PID 4556 wrote to memory of 4736 4556 cmd.exe reg.exe PID 4556 wrote to memory of 4736 4556 cmd.exe reg.exe PID 4632 wrote to memory of 1052 4632 cmd.exe reg.exe PID 4632 wrote to memory of 1052 4632 cmd.exe reg.exe PID 4632 wrote to memory of 1052 4632 cmd.exe reg.exe PID 4628 wrote to memory of 1576 4628 cmd.exe reg.exe PID 4628 wrote to memory of 1576 4628 cmd.exe reg.exe PID 4628 wrote to memory of 1576 4628 cmd.exe reg.exe PID 4840 wrote to memory of 1404 4840 cmd.exe reg.exe PID 4840 wrote to memory of 1404 4840 cmd.exe reg.exe PID 4840 wrote to memory of 1404 4840 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe"C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\19973ff319f06c55f12eb26bd8560078f0a849db92867fb40a5a6a00c5cdac78.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-142-0x0000000000000000-mapping.dmp
-
memory/1404-144-0x0000000000000000-mapping.dmp
-
memory/1576-143-0x0000000000000000-mapping.dmp
-
memory/1640-132-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1640-133-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/4556-139-0x0000000000000000-mapping.dmp
-
memory/4628-140-0x0000000000000000-mapping.dmp
-
memory/4632-138-0x0000000000000000-mapping.dmp
-
memory/4736-141-0x0000000000000000-mapping.dmp
-
memory/4840-137-0x0000000000000000-mapping.dmp