9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b

Analysis

max time kernel
167s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Size

919KB
MD5

4843063ab4446c5f8e7de208aa817715
SHA1

c54c2bed924a832fb973ceed7459c2fd0789b226
SHA256

9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b
SHA512

6b6eda58fd755bfe482739bbca32f76ff360aaa3d519f1085dc6b29838321900716b7e50f64dfdd1a2c9e1bb669287ed812401860ae4973c3cf95adfb2ccb88d
SSDEEP

6144:iSKrrlWYyUlakuiNXQli2VuxwJ0cmmx3k74XODG40zQG7NP0nuc6Hzp3wT66vlmf:iYYl1uWXQQ2Qf2x3u9q400uB74fKL0mp

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bitc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bitc.exe:*:Enabled:Windows Messanger"	reg.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\HKEY_CURRENT_USER = "C:\\Users\\Admin\\AppData\\Roaming\\bitc.exe"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	tmpopen.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D16DAE53-5F9E-3FBE-F8B2-12EFDCAEA7A4}	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D16DAE53-5F9E-3FBE-F8B2-12EFDCAEA7A4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\bitc.exe"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{D16DAE53-5F9E-3FBE-F8B2-12EFDCAEA7A4}	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{D16DAE53-5F9E-3FBE-F8B2-12EFDCAEA7A4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\bitc.exe"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1336-61-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1336-65-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1336-66-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1336-79-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1336-80-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKEY_CURRENT_USER = "C:\\Users\\Admin\\AppData\\Roaming\\bitc.exe"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_CURRENT_USER = "C:\\Users\\Admin\\AppData\\Roaming\\bitc.exe"	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
436	reg.exe
768	reg.exe
1300	reg.exe
1092	reg.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeBackupPrivilege	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: 1	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeCreateTokenPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeAssignPrimaryTokenPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeLockMemoryPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeIncreaseQuotaPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeMachineAccountPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeTcbPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeSecurityPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeTakeOwnershipPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeLoadDriverPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeSystemProfilePrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeSystemtimePrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeProfSingleProcessPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeIncBasePriorityPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeCreatePagefilePrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeCreatePermanentPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeBackupPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeRestorePrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeShutdownPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeDebugPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeAuditPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeSystemEnvironmentPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeChangeNotifyPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeRemoteShutdownPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeUndockPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeSyncAgentPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeEnableDelegationPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeManageVolumePrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeImpersonatePrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: SeCreateGlobalPrivilege	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: 31	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: 32	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: 33	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: 34	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
Token: 35	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1292	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	28
PID 1956 wrote to memory of 1292	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	28
PID 1956 wrote to memory of 1292	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	28
PID 1956 wrote to memory of 1292	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	28
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1956 wrote to memory of 1336	1956	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	29
PID 1336 wrote to memory of 1096	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	30
PID 1336 wrote to memory of 1096	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	30
PID 1336 wrote to memory of 1096	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	30
PID 1336 wrote to memory of 1096	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	30
PID 1336 wrote to memory of 340	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	31
PID 1336 wrote to memory of 340	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	31
PID 1336 wrote to memory of 340	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	31
PID 1336 wrote to memory of 340	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	31
PID 1336 wrote to memory of 1108	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	33
PID 1336 wrote to memory of 1108	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	33
PID 1336 wrote to memory of 1108	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	33
PID 1336 wrote to memory of 1108	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	33
PID 1336 wrote to memory of 1156	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	35
PID 1336 wrote to memory of 1156	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	35
PID 1336 wrote to memory of 1156	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	35
PID 1336 wrote to memory of 1156	1336	9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe	35
PID 1096 wrote to memory of 436	1096	cmd.exe	38
PID 1096 wrote to memory of 436	1096	cmd.exe	38
PID 1096 wrote to memory of 436	1096	cmd.exe	38
PID 1096 wrote to memory of 436	1096	cmd.exe	38
PID 340 wrote to memory of 768	340	cmd.exe	39
PID 340 wrote to memory of 768	340	cmd.exe	39
PID 340 wrote to memory of 768	340	cmd.exe	39
PID 340 wrote to memory of 768	340	cmd.exe	39
PID 1156 wrote to memory of 1300	1156	cmd.exe	40
PID 1156 wrote to memory of 1300	1156	cmd.exe	40
PID 1156 wrote to memory of 1300	1156	cmd.exe	40
PID 1156 wrote to memory of 1300	1156	cmd.exe	40
PID 1108 wrote to memory of 1092	1108	cmd.exe	41
PID 1108 wrote to memory of 1092	1108	cmd.exe	41
PID 1108 wrote to memory of 1092	1108	cmd.exe	41
PID 1108 wrote to memory of 1092	1108	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
"C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\tmpopen.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpopen.exe"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
  C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\9755c20f892611d307f39e5c69250d89c319037682ed0d5775bf8f69e6de706b.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bitc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bitc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bitc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bitc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpopen.exe

Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpopen.exe

Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
\Users\Admin\AppData\Local\Temp\tmpopen.exe

Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
memory/340-72-0x0000000000000000-mapping.dmp

Download
memory/436-75-0x0000000000000000-mapping.dmp

Download
memory/768-76-0x0000000000000000-mapping.dmp

Download
memory/1092-78-0x0000000000000000-mapping.dmp

Download
memory/1096-71-0x0000000000000000-mapping.dmp

Download
memory/1108-73-0x0000000000000000-mapping.dmp

Download
memory/1156-74-0x0000000000000000-mapping.dmp

Download
memory/1292-58-0x0000000000000000-mapping.dmp

Download
memory/1300-77-0x0000000000000000-mapping.dmp

Download
memory/1336-66-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1336-65-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1336-61-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1336-62-0x0000000000472520-mapping.dmp

Download
memory/1336-79-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1336-80-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1956-56-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads