Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 20:55

General

  • Target

    8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe

  • Size

    336KB

  • MD5

    90c967e9f95c7afbcad7d5556d689344

  • SHA1

    d0faf34a99d1703598eaf3ac5ab1cbd48bbed10c

  • SHA256

    8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152

  • SHA512

    fee8cfa7ced8272a1ba9e9a11d7f312c9fb5592d8bbd73729e976f5eb5940ece049ab5e4f5868a3659dbe03ad7a94ce109c5ed48cbc04000e99e9020ebd147be

  • SSDEEP

    6144:xG78LjzOANvSAsQLqF9pXMiY3sGB6UduRfLtcQ:47kmAN6omFMb3sGB6UduRfLaQ

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe
    "C:\Users\Admin\AppData\Local\Temp\8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:4776
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8c9dc467eccf32b5061853ff899f1acd009916faa5d941f5c182676e67ea1152.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:1676
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:4792
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Test2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Test2.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Test2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Test2.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:4704

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads