Analysis
-
max time kernel
170s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 13:44
Behavioral task
behavioral1
Sample
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe
-
Size
436KB
-
MD5
17ba65c2acd44986b417661d57eee88f
-
SHA1
0e5d8e92dafa9d2ee064da0a192920d7c77a241c
-
SHA256
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168
-
SHA512
4e59c463aafb51be41987d1a5d04976ee6fa0c0888b325d12c671d026ca1503b3f09943417abc53787988ace6d6927e242775a197cd7dfec55409bae48d5e180
-
SSDEEP
6144:vA9x5O5TLn9BHng5HaH/bNlNvdR1NvVejs9wmQ8XUvubgy:Sx5O5TTfgajhNxVejs9wmQ8XK27
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot-noip.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot-noip.exe:*:Enabled:Windows Messanger" reg.exe -
Processes:
resource yara_rule behavioral2/memory/2396-133-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral2/memory/2396-144-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 4456 reg.exe 368 reg.exe 1716 reg.exe 3340 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exepid process 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exedescription pid process Token: 1 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeCreateTokenPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeAssignPrimaryTokenPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeLockMemoryPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeIncreaseQuotaPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeMachineAccountPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeTcbPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeSecurityPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeTakeOwnershipPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeLoadDriverPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeSystemProfilePrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeSystemtimePrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeProfSingleProcessPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeIncBasePriorityPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeCreatePagefilePrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeCreatePermanentPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeBackupPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeRestorePrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeShutdownPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeDebugPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeAuditPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeSystemEnvironmentPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeChangeNotifyPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeRemoteShutdownPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeUndockPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeSyncAgentPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeEnableDelegationPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeManageVolumePrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeImpersonatePrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: SeCreateGlobalPrivilege 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: 31 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: 32 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: 33 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: 34 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe Token: 35 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exepid process 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2396 wrote to memory of 4784 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4784 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4784 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4756 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4756 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4756 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4748 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4748 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4748 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4924 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4924 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 2396 wrote to memory of 4924 2396 7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe cmd.exe PID 4756 wrote to memory of 1716 4756 cmd.exe reg.exe PID 4756 wrote to memory of 1716 4756 cmd.exe reg.exe PID 4756 wrote to memory of 1716 4756 cmd.exe reg.exe PID 4924 wrote to memory of 4456 4924 cmd.exe reg.exe PID 4924 wrote to memory of 4456 4924 cmd.exe reg.exe PID 4924 wrote to memory of 4456 4924 cmd.exe reg.exe PID 4784 wrote to memory of 3340 4784 cmd.exe reg.exe PID 4784 wrote to memory of 3340 4784 cmd.exe reg.exe PID 4784 wrote to memory of 3340 4784 cmd.exe reg.exe PID 4748 wrote to memory of 368 4748 cmd.exe reg.exe PID 4748 wrote to memory of 368 4748 cmd.exe reg.exe PID 4748 wrote to memory of 368 4748 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe"C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7f2a8c39cf324694b19e2b6522be091053e681c3b8c3b28e50f6fbf9f8c57168.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot-noip.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot-noip.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-143-0x0000000000000000-mapping.dmp
-
memory/1716-140-0x0000000000000000-mapping.dmp
-
memory/2396-133-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2396-144-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3340-142-0x0000000000000000-mapping.dmp
-
memory/4456-141-0x0000000000000000-mapping.dmp
-
memory/4748-138-0x0000000000000000-mapping.dmp
-
memory/4756-137-0x0000000000000000-mapping.dmp
-
memory/4784-136-0x0000000000000000-mapping.dmp
-
memory/4924-139-0x0000000000000000-mapping.dmp