d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a

General

Target

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Size

384KB
MD5

89c243fd09e85bcba0343647820b2e95
SHA1

715054a3c94c54042cfd056852da8d9abe008ca8
SHA256

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a
SHA512

4f4c1c1697efd75da723e59b4afc6d97cbd63d3697937957b851fb20e4aa9ac0d382526a3ae8ec45d1d544c9e474a7f77595eb61db5aaaafe4d7b4ad9ccc5136
SSDEEP

6144:j3LQLH6lj/PUukj5QsWcaGOEYhn2s/AkvmUa3HXeh22hlECn/KqS15VIFI3M5IID:QLeYn5cFT/A8m33g+4

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\configuration\winsock.exe = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Critical = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/848-54-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral1/memory/848-67-0x0000000000400000-0x00000000004E2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Critical = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Critical = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1848 reg.exe
1436 reg.exe
880 reg.exe
1800 reg.exe

pid	process
1848	reg.exe
1436	reg.exe
880	reg.exe
1800	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	pid	process
Token: 1	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreateTokenPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeAssignPrimaryTokenPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeLockMemoryPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeIncreaseQuotaPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeMachineAccountPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeTcbPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSecurityPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeTakeOwnershipPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeLoadDriverPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSystemProfilePrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSystemtimePrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeProfSingleProcessPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeIncBasePriorityPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreatePagefilePrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreatePermanentPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeBackupPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeRestorePrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeShutdownPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeDebugPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeAuditPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSystemEnvironmentPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeChangeNotifyPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeRemoteShutdownPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeUndockPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSyncAgentPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeEnableDelegationPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeManageVolumePrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeImpersonatePrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreateGlobalPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 31	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 32	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 33	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 34	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 35	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeDebugPrivilege	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

pid	process
848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 916	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 916	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 916	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 916	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1124	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1124	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1124	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1124	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1620	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1620	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1620	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 1620	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 308	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 308	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 308	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 848 wrote to memory of 308	848	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 1124 wrote to memory of 1436	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 1436	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 1436	1124	cmd.exe	reg.exe
PID 1124 wrote to memory of 1436	1124	cmd.exe	reg.exe
PID 916 wrote to memory of 1848	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1848	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1848	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1848	916	cmd.exe	reg.exe
PID 308 wrote to memory of 1800	308	cmd.exe	reg.exe
PID 308 wrote to memory of 1800	308	cmd.exe	reg.exe
PID 308 wrote to memory of 1800	308	cmd.exe	reg.exe
PID 308 wrote to memory of 1800	308	cmd.exe	reg.exe
PID 1620 wrote to memory of 880	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 880	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 880	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 880	1620	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
"C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe:*:Enabled:Windows Messanger" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe:*:Enabled:Windows Messanger" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe:*:Enabled:Windows Messanger" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe:*:Enabled:Windows Messanger" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-62-0x0000000000000000-mapping.dmp

Download
memory/848-54-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/848-58-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/848-67-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/880-66-0x0000000000000000-mapping.dmp

Download
memory/916-59-0x0000000000000000-mapping.dmp

Download
memory/1124-60-0x0000000000000000-mapping.dmp

Download
memory/1436-63-0x0000000000000000-mapping.dmp

Download
memory/1620-61-0x0000000000000000-mapping.dmp

Download
memory/1800-65-0x0000000000000000-mapping.dmp

Download
memory/1848-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads