f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac

General

Target

f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
Size

109KB
MD5

069cf757977a47d541c8432fd8070000
SHA1

60436879b82b71636f2b031da3e805eabfa77b25
SHA256

f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac
SHA512

74531e16d7f5ba1d965b542e0d169b7483a7385db74fe82e25bf307a936ce4c7c9981ec924f92d8f2f5506838cd7c28c0f6fecd2345ef8d0dc0c15bf803ae287
SSDEEP

1536:+cMCBoDz6xNpU/LziZ8CIgzr3bSFDoW75iK8ja56dODQ7coR/U:HSz6xE/Lzi26/rS9pFT86sODR

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-253528050862468260804250825\winmgr.exe = "C:\\Users\\Admin\\M-253528050862468260804250825\\winmgr.exe:*:Enabled:Microsoft Windows Manager"	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe

Executes dropped EXE 2 IoCs

pid	Process
3184	winmgr.exe
4292	winmgr.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4572-132-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4572-133-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/4572-137-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/files/0x0006000000022f76-140.dat	upx
behavioral2/files/0x0006000000022f76-141.dat	upx
behavioral2/memory/3184-143-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3184-144-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/3184-149-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/files/0x0006000000022f76-147.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-253528050862468260804250825\\winmgr.exe"	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4572 set thread context of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 3184 set thread context of 4292	3184	winmgr.exe	82

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 4572 wrote to memory of 1552	4572	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	80
PID 1552 wrote to memory of 3184	1552	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	81
PID 1552 wrote to memory of 3184	1552	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	81
PID 1552 wrote to memory of 3184	1552	f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe	81
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82
PID 3184 wrote to memory of 4292	3184	winmgr.exe	82

C:\Users\Admin\AppData\Local\Temp\f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
"C:\Users\Admin\AppData\Local\Temp\f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe
  "C:\Users\Admin\AppData\Local\Temp\f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\M-253528050862468260804250825\winmgr.exe
    C:\Users\Admin\M-253528050862468260804250825\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Users\Admin\M-253528050862468260804250825\winmgr.exe
      C:\Users\Admin\M-253528050862468260804250825\winmgr.exe
      4⤵
      Executes dropped EXE
      PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M-253528050862468260804250825\winmgr.exe

Filesize
109KB

MD5
069cf757977a47d541c8432fd8070000

SHA1
60436879b82b71636f2b031da3e805eabfa77b25

SHA256
f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac

SHA512
74531e16d7f5ba1d965b542e0d169b7483a7385db74fe82e25bf307a936ce4c7c9981ec924f92d8f2f5506838cd7c28c0f6fecd2345ef8d0dc0c15bf803ae287

Download Submit
C:\Users\Admin\M-253528050862468260804250825\winmgr.exe

Filesize
109KB

MD5
069cf757977a47d541c8432fd8070000

SHA1
60436879b82b71636f2b031da3e805eabfa77b25

SHA256
f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac

SHA512
74531e16d7f5ba1d965b542e0d169b7483a7385db74fe82e25bf307a936ce4c7c9981ec924f92d8f2f5506838cd7c28c0f6fecd2345ef8d0dc0c15bf803ae287

Download Submit
C:\Users\Admin\M-253528050862468260804250825\winmgr.exe

Filesize
109KB

MD5
069cf757977a47d541c8432fd8070000

SHA1
60436879b82b71636f2b031da3e805eabfa77b25

SHA256
f25eea099952df3c263be3ad057f0b7eacac63bd6b14b04a53b5ea02c0eff4ac

SHA512
74531e16d7f5ba1d965b542e0d169b7483a7385db74fe82e25bf307a936ce4c7c9981ec924f92d8f2f5506838cd7c28c0f6fecd2345ef8d0dc0c15bf803ae287

Download Submit
memory/1552-136-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1552-135-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1552-142-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1552-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3184-143-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3184-144-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3184-149-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4292-150-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4292-151-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4572-132-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4572-137-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4572-133-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads