b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc

Analysis

max time kernel
157s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe
Size

7KB
MD5

30cdbb3cf34ecf7608b5ae63ab210d9e
SHA1

cdf6f5aa88797eab216f7df93abf32f50df7e8d1
SHA256

b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc
SHA512

37b0ab9a939dee1cb946cdb78f07560d1ecd0cf6d1f881082b0a322fe4cdac91c5978ca8aacf493081821184be4b2d0ad21214d016c2b4eebd9700977b8b29b1
SSDEEP

96:ehggA+/B4FVND80B7odDQS3b0Mzh87BnPr/s3qNQzt80:aU+Z8VVldoqOhePzs

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4912	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnwin.exe = "C:\\Windows\\system32\\lnwin.exe"	b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lnwin.exe	b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe
File opened for modification	C:\Windows\SysWOW64\lnwin.exe	b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4912	1428	b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe	82
PID 1428 wrote to memory of 4912	1428	b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe	82
PID 1428 wrote to memory of 4912	1428	b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe	82

C:\Users\Admin\AppData\Local\Temp\b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe
"C:\Users\Admin\AppData\Local\Temp\b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram "C:\Users\Admin\AppData\Local\Temp\b9d784980ee9c1ef737f1ab4b97ead2a52d683c66b9523a15d911a6bbc82bbcc.exe" enable
  2⤵
  - Modifies Windows Firewall
  PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1428-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download