4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Size

419KB
MD5

5ec341e12424f0b9326cd073dfa8125b
SHA1

50cf6613f73ea3d3b93f8460b7b3ee74506db55a
SHA256

4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21
SHA512

cf562844ca2290232a4bb23c1a0b25765ac090be97b89d989feb5fb80dbfedfa75c439e99a106e0a936c6e8b351866c5bb3844cb3a1b0523668f338ff9a2776b
SSDEEP

6144:HwFr4PxWh0s2cBHng5HamJY4jESRL2RY7he2v8cV4u70vj1UPQ1ca/:Hw65Wh8AgamtFAYNv8cV4u70vRUPsl

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1448	reg.exe
1712	reg.exe
1708	reg.exe
1864	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeCreateTokenPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeAssignPrimaryTokenPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeLockMemoryPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeIncreaseQuotaPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeMachineAccountPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeTcbPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeSecurityPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeTakeOwnershipPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeLoadDriverPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeSystemProfilePrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeSystemtimePrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeProfSingleProcessPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeIncBasePriorityPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeCreatePagefilePrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeCreatePermanentPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeBackupPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeRestorePrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeShutdownPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeDebugPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeAuditPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeSystemEnvironmentPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeChangeNotifyPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeRemoteShutdownPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeUndockPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeSyncAgentPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeEnableDelegationPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeManageVolumePrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeImpersonatePrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: SeCreateGlobalPrivilege	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: 31	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: 32	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: 33	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: 34	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
Token: 35	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1148	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	27
PID 2012 wrote to memory of 1148	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	27
PID 2012 wrote to memory of 1148	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	27
PID 2012 wrote to memory of 1148	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	27
PID 2012 wrote to memory of 1720	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	28
PID 2012 wrote to memory of 1720	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	28
PID 2012 wrote to memory of 1720	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	28
PID 2012 wrote to memory of 1720	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	28
PID 2012 wrote to memory of 844	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	30
PID 2012 wrote to memory of 844	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	30
PID 2012 wrote to memory of 844	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	30
PID 2012 wrote to memory of 844	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	30
PID 2012 wrote to memory of 856	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	32
PID 2012 wrote to memory of 856	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	32
PID 2012 wrote to memory of 856	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	32
PID 2012 wrote to memory of 856	2012	4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe	32
PID 1720 wrote to memory of 1708	1720	cmd.exe	36
PID 1720 wrote to memory of 1708	1720	cmd.exe	36
PID 1720 wrote to memory of 1708	1720	cmd.exe	36
PID 1720 wrote to memory of 1708	1720	cmd.exe	36
PID 844 wrote to memory of 1864	844	cmd.exe	37
PID 844 wrote to memory of 1864	844	cmd.exe	37
PID 844 wrote to memory of 1864	844	cmd.exe	37
PID 844 wrote to memory of 1864	844	cmd.exe	37
PID 1148 wrote to memory of 1712	1148	cmd.exe	35
PID 1148 wrote to memory of 1712	1148	cmd.exe	35
PID 1148 wrote to memory of 1712	1148	cmd.exe	35
PID 1148 wrote to memory of 1712	1148	cmd.exe	35
PID 856 wrote to memory of 1448	856	cmd.exe	38
PID 856 wrote to memory of 1448	856	cmd.exe	38
PID 856 wrote to memory of 1448	856	cmd.exe	38
PID 856 wrote to memory of 1448	856	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe
"C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4c83a6eb8c14805f54b56acbf3f310f2d878bdcb0a44ab3889ff7b2d7f083f21.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-57-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads