3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae

Analysis

max time kernel
153s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Size

932KB
MD5

9390a7a07408c32c5996f5ed706c2fb8
SHA1

0e234904d75e4d432199426bbc812bb55253a540
SHA256

3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
SHA512

9b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3
SSDEEP

3072:yvxRc7U/tY6nCyILZ7TNlPgYGIqMWWAo2U8uCGGmj/h8RwmoCGOs7hem7TDXL7iX:yyPfMNRPlM0Q1hU

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe:*:Enabled:3ASFH"	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe

Executes dropped EXE 2 IoCs

pid	Process
1812	svchost.exe
1640	svchost.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4628	netsh.exe
664	netsh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3ASFH = "svchost.exe"	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ASFH = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 1812 set thread context of 1640	1812	svchost.exe	87

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winmx\shared\Movie Maker Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Myspace Cracker.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Windows 2008 Server KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\bearshare\shared\Microsoft Visual C++ 6 KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\RuneScape Gold Exploit.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\winmx\shared\Microsoft Visual Studio 6 KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\bearshare\shared\Tcpip Patch.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Virus Generator.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Project 7 Private 4.8.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\winmx\shared\Nod32 Internet Security Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\winmx\shared\Call Of Duty Modern Warfare 2 working multiplayer patch by team reloaded.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Movie Maker Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\Norton Internet Security 2010 Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\emule\incoming\Windows Vista Keygen	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\limewire\shared\Limewire Speed Patch	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\limewire\shared\Photoshop Crack.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Nod32 Antivirus Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Photoshop Crack.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Microsoft Visual Studio 2008 KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\TuneUp 2010 Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\winmx\shared\RuneScape Cracker.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Project 7 Private 4.8.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\grokster\my grokster\Widnows 7 Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\tesla\files\Limewire Pro Downloader.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Microsoft Visual Basic 2008 KeyGen.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Kaspersky Internet Security Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\winmx\shared\DivX Pro KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Registry Cleaner Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite\my shared folder\RuneScape 2009 - Newest Exploits.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Registry Cleaner Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Partition Magic 8 Full package.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Avast Antivirus Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\RuneScape 2009 - Newest Exploits.exe	svchost.exe
File created	C:\Program Files (x86)\winmx\shared\Project 7 Private 4.8.exe	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\Photoshop Crack.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\emule\incoming\RuneScape Cracker.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\emule\incoming\Adobe Photoshop CS3 Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\icq\shared folder\Adobe Photoshop CS4 KeyGen.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Movie Maker Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\RuneScape Cracker.exe	svchost.exe
File created	C:\Program Files (x86)\bearshare\shared\Myspace Bruteforce.exe	svchost.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Microsoft Visual Studio 2008 KeyGen.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Avira Antivirus 2010 Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\emule\incoming\YIM HAcker 2009.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Myspace Cracker.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Microsoft Visual Studio 6 KeyGen.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\YIM HAcker 2009.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Avast Antivirus Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Virus Maker.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\Call Of Duty Modern Warfare 2 working multiplayer patch by team reloaded.exe	svchost.exe
File created	C:\Program Files (x86)\emule\incoming\Adobe Photoshop Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\limewire\shared\Microsoft Visual Basic 2008 KeyGen.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Microsoft Visual Basic 6 KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Nod32 Antivirus Keygen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Photoshop Crack.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\DeadSpace KeyGen.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
File created	C:\Program Files (x86)\limewire\shared\Virus Maker.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\RuneScape Cracker.exe	svchost.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\Norton Anti-Virus 2010 Enterprise Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\Kaspersky 2010 Full Suite Keygen.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Project 7 Private 4.8.exe	svchost.exe
File created	C:\Program Files (x86)\icq\shared folder\Tcpip Patch.exe	svchost.exe
File created	C:\Program Files (x86)\grokster\my grokster\Virus Maker.exe	svchost.exe
File created	C:\Program Files (x86)\tesla\files\Adobe Photoshop Crack.exe	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
1812	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 2128 wrote to memory of 1460	2128	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	83
PID 1460 wrote to memory of 4628	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	84
PID 1460 wrote to memory of 4628	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	84
PID 1460 wrote to memory of 4628	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	84
PID 1460 wrote to memory of 664	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	85
PID 1460 wrote to memory of 664	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	85
PID 1460 wrote to memory of 664	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	85
PID 1460 wrote to memory of 1812	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	86
PID 1460 wrote to memory of 1812	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	86
PID 1460 wrote to memory of 1812	1460	3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe	86
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87
PID 1812 wrote to memory of 1640	1812	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
"C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
  "C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4628
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:664
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
932KB

MD5
9390a7a07408c32c5996f5ed706c2fb8

SHA1
0e234904d75e4d432199426bbc812bb55253a540

SHA256
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae

SHA512
9b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
932KB

MD5
9390a7a07408c32c5996f5ed706c2fb8

SHA1
0e234904d75e4d432199426bbc812bb55253a540

SHA256
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae

SHA512
9b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
932KB

MD5
9390a7a07408c32c5996f5ed706c2fb8

SHA1
0e234904d75e4d432199426bbc812bb55253a540

SHA256
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae

SHA512
9b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3

Download Submit
memory/1460-135-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-138-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-151-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1640-152-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads