a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7

General

Target

a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
Size

130KB
MD5

625084a8ab051ccb08d52687334a9048
SHA1

99082b6d1029799d158635a5acf6588e21f7aea7
SHA256

a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7
SHA512

af7afda8cb9fd2b2fb9fe2f27a4f329e9b5a47e33be15d453f22938272c1a4b000666b9520b1eba08a79be6e405bff345bfde62ff1475fc407910232092e3330
SSDEEP

1536:R6Dqee3cp49xXbOLbxflu0dqvw3XwTnvQAPKk5YdQ7KseUDYf6SwQ9yxr19DpHs:4BS24rrOLneL7lKk5YKO5JyrQ9yxr1g

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-2875247467928479275\winsvc.exe = "C:\\Users\\Admin\\M-2875247467928479275\\winsvc.exe:*:Enabled:Microsoft Update"	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe

Executes dropped EXE 2 IoCs

pid	Process
3880	winsvc.exe
2116	winsvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Users\\Admin\\M-2875247467928479275\\winsvc.exe"	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 3880 set thread context of 2116	3880	winsvc.exe	87

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 4752 wrote to memory of 1456	4752	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	82
PID 1456 wrote to memory of 3880	1456	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	85
PID 1456 wrote to memory of 3880	1456	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	85
PID 1456 wrote to memory of 3880	1456	a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe	85
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87
PID 3880 wrote to memory of 2116	3880	winsvc.exe	87

C:\Users\Admin\AppData\Local\Temp\a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
"C:\Users\Admin\AppData\Local\Temp\a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe
  "C:\Users\Admin\AppData\Local\Temp\a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\M-2875247467928479275\winsvc.exe
    C:\Users\Admin\M-2875247467928479275\winsvc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\M-2875247467928479275\winsvc.exe
      C:\Users\Admin\M-2875247467928479275\winsvc.exe
      4⤵
      Executes dropped EXE
      PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M-2875247467928479275\winsvc.exe

Filesize
130KB

MD5
625084a8ab051ccb08d52687334a9048

SHA1
99082b6d1029799d158635a5acf6588e21f7aea7

SHA256
a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7

SHA512
af7afda8cb9fd2b2fb9fe2f27a4f329e9b5a47e33be15d453f22938272c1a4b000666b9520b1eba08a79be6e405bff345bfde62ff1475fc407910232092e3330

Download Submit
C:\Users\Admin\M-2875247467928479275\winsvc.exe

Filesize
130KB

MD5
625084a8ab051ccb08d52687334a9048

SHA1
99082b6d1029799d158635a5acf6588e21f7aea7

SHA256
a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7

SHA512
af7afda8cb9fd2b2fb9fe2f27a4f329e9b5a47e33be15d453f22938272c1a4b000666b9520b1eba08a79be6e405bff345bfde62ff1475fc407910232092e3330

Download Submit
C:\Users\Admin\M-2875247467928479275\winsvc.exe

Filesize
130KB

MD5
625084a8ab051ccb08d52687334a9048

SHA1
99082b6d1029799d158635a5acf6588e21f7aea7

SHA256
a93eb7e4b4d51b224dfb45fc8bdd988c2fc0878b2f28e46bf866dad288f01af7

SHA512
af7afda8cb9fd2b2fb9fe2f27a4f329e9b5a47e33be15d453f22938272c1a4b000666b9520b1eba08a79be6e405bff345bfde62ff1475fc407910232092e3330

Download Submit
memory/1456-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1456-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1456-135-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1456-136-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2116-144-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2116-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads