d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a

General

Target

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Size

384KB
MD5

89c243fd09e85bcba0343647820b2e95
SHA1

715054a3c94c54042cfd056852da8d9abe008ca8
SHA256

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a
SHA512

4f4c1c1697efd75da723e59b4afc6d97cbd63d3697937957b851fb20e4aa9ac0d382526a3ae8ec45d1d544c9e474a7f77595eb61db5aaaafe4d7b4ad9ccc5136
SSDEEP

6144:j3LQLH6lj/PUukj5QsWcaGOEYhn2s/AkvmUa3HXeh22hlECn/KqS15VIFI3M5IID:QLeYn5cFT/A8m33g+4

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\configuration\winsock.exe = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Critical = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB67798E-F556-BF25-B15C-CFBA8B6EEF85}	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2008-132-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral2/memory/2008-144-0x0000000000400000-0x00000000004E2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Critical = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Critical = "C:\\Users\\Admin\\AppData\\Roaming\\configuration\\winsock.exe"	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4952 reg.exe
4864 reg.exe
3680 reg.exe
4628 reg.exe

pid	process
4952	reg.exe
4864	reg.exe
3680	reg.exe
4628	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

description	pid	process
Token: 1	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreateTokenPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeAssignPrimaryTokenPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeLockMemoryPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeIncreaseQuotaPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeMachineAccountPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeTcbPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSecurityPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeTakeOwnershipPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeLoadDriverPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSystemProfilePrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSystemtimePrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeProfSingleProcessPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeIncBasePriorityPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreatePagefilePrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreatePermanentPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeBackupPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeRestorePrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeShutdownPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeDebugPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeAuditPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSystemEnvironmentPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeChangeNotifyPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeRemoteShutdownPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeUndockPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeSyncAgentPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeEnableDelegationPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeManageVolumePrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeImpersonatePrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeCreateGlobalPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 31	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 32	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 33	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 34	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: 35	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
Token: SeDebugPrivilege	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

pid	process
2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 3292	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 3292	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 3292	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 1988	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 1988	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 1988	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 4976	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 4976	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 4976	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 4304	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 4304	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 2008 wrote to memory of 4304	2008	d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe	cmd.exe
PID 4976 wrote to memory of 4952	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4952	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4952	4976	cmd.exe	reg.exe
PID 1988 wrote to memory of 3680	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 3680	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 3680	1988	cmd.exe	reg.exe
PID 3292 wrote to memory of 4864	3292	cmd.exe	reg.exe
PID 3292 wrote to memory of 4864	3292	cmd.exe	reg.exe
PID 3292 wrote to memory of 4864	3292	cmd.exe	reg.exe
PID 4304 wrote to memory of 4628	4304	cmd.exe	reg.exe
PID 4304 wrote to memory of 4628	4304	cmd.exe	reg.exe
PID 4304 wrote to memory of 4628	4304	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe
"C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4864

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe:*:Enabled:Windows Messanger" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d059f1b6ff35d7cbaac3cbd69479107814b1888e1d578333d7f257a8068d816a.exe:*:Enabled:Windows Messanger" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:3680

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe:*:Enabled:Windows Messanger" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\configuration\winsock.exe:*:Enabled:Windows Messanger" /f
3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-137-0x0000000000000000-mapping.dmp

Download
memory/2008-132-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2008-144-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3292-136-0x0000000000000000-mapping.dmp

Download
memory/3680-141-0x0000000000000000-mapping.dmp

Download
memory/4304-139-0x0000000000000000-mapping.dmp

Download
memory/4628-143-0x0000000000000000-mapping.dmp

Download
memory/4864-142-0x0000000000000000-mapping.dmp

Download
memory/4952-140-0x0000000000000000-mapping.dmp

Download
memory/4976-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads