a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58

General

Target

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
Size

213KB
MD5

928452174f5067a712cc36846701686a
SHA1

f80242df914a1c5594d46eda37dbffdedfb27aca
SHA256

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58
SHA512

dba10ca48fb1c49794cd6fd5c8f403583ec71fbf3a677307a4e4ab256cc4992e5317951cd3c082b86dbd135fbd5ed016af0a0b9bf8be7e7cfeaa3829da88d6fd
SSDEEP

3072:aL5inVsD8cnLLEgoAMf2SsxmwEirbPVAGO7/9Op/kRLCflPFIWpmnQR6L/mDUDeN:aL5YaLYdiDZegoCflPmnQ8mDN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-487580275876824076547\winsvc.exe = "C:\\Users\\Admin\\M-487580275876824076547\\winsvc.exe:*:Enabled:Microsoft Service"	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

Executes dropped EXE 2 IoCs

Processes:

winsvc.exewinsvc.exe

pid process

1744 winsvc.exe
1724 winsvc.exe
Loads dropped DLL 1 IoCs

Processes:

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

pid process

804 a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

pid	process
1744	winsvc.exe
1724	winsvc.exe

pid	process
804	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service = "C:\\Users\\Admin\\M-487580275876824076547\\winsvc.exe"	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exewinsvc.exe

description	pid	process	target process
PID 980 set thread context of 804	980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
PID 1744 set thread context of 1724	1744	winsvc.exe	winsvc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exewinsvc.exe

pid	process
980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
1744	winsvc.exe
1744	winsvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exea43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exewinsvc.exe

description	pid	process	target process
PID 980 wrote to memory of 804	980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
PID 980 wrote to memory of 804	980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
PID 980 wrote to memory of 804	980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
PID 980 wrote to memory of 804	980	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
PID 804 wrote to memory of 1744	804	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	winsvc.exe
PID 804 wrote to memory of 1744	804	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	winsvc.exe
PID 804 wrote to memory of 1744	804	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	winsvc.exe
PID 804 wrote to memory of 1744	804	a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe	winsvc.exe
PID 1744 wrote to memory of 1724	1744	winsvc.exe	winsvc.exe
PID 1744 wrote to memory of 1724	1744	winsvc.exe	winsvc.exe
PID 1744 wrote to memory of 1724	1744	winsvc.exe	winsvc.exe
PID 1744 wrote to memory of 1724	1744	winsvc.exe	winsvc.exe

C:\Users\Admin\AppData\Local\Temp\a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
"C:\Users\Admin\AppData\Local\Temp\a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe
"C:\Users\Admin\AppData\Local\Temp\a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58.exe"
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\M-487580275876824076547\winsvc.exe
C:\Users\Admin\M-487580275876824076547\winsvc.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\M-487580275876824076547\winsvc.exe
C:\Users\Admin\M-487580275876824076547\winsvc.exe
4⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M-487580275876824076547\winsvc.exe

Filesize
213KB

MD5
928452174f5067a712cc36846701686a

SHA1
f80242df914a1c5594d46eda37dbffdedfb27aca

SHA256
a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58

SHA512
dba10ca48fb1c49794cd6fd5c8f403583ec71fbf3a677307a4e4ab256cc4992e5317951cd3c082b86dbd135fbd5ed016af0a0b9bf8be7e7cfeaa3829da88d6fd

Download Submit
C:\Users\Admin\M-487580275876824076547\winsvc.exe

Filesize
213KB

MD5
928452174f5067a712cc36846701686a

SHA1
f80242df914a1c5594d46eda37dbffdedfb27aca

SHA256
a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58

SHA512
dba10ca48fb1c49794cd6fd5c8f403583ec71fbf3a677307a4e4ab256cc4992e5317951cd3c082b86dbd135fbd5ed016af0a0b9bf8be7e7cfeaa3829da88d6fd

Download Submit
\Users\Admin\M-487580275876824076547\winsvc.exe

Filesize
213KB

MD5
928452174f5067a712cc36846701686a

SHA1
f80242df914a1c5594d46eda37dbffdedfb27aca

SHA256
a43b347276b36ddc850374ffab37989f9b6564c0b9c672296107245f8c6c1b58

SHA512
dba10ca48fb1c49794cd6fd5c8f403583ec71fbf3a677307a4e4ab256cc4992e5317951cd3c082b86dbd135fbd5ed016af0a0b9bf8be7e7cfeaa3829da88d6fd

Download Submit
memory/804-55-0x00000000004074A0-mapping.dmp

Download
memory/804-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/980-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1724-62-0x00000000004074A0-mapping.dmp

Download
memory/1724-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1744-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads