Analysis
-
max time kernel
186s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 22:05
Static task
static1
Behavioral task
behavioral1
Sample
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Resource
win10v2004-20221111-en
General
-
Target
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
-
Size
416KB
-
MD5
30b8bd459b5abcf9d67aca1aa55cefe5
-
SHA1
4d740587ec2d6b644b5c4be1fa60efceb39154d3
-
SHA256
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9
-
SHA512
39b06b09e5610b6b04415b69cfa4661ffdf37b11d10e3d692f8658b79f13d7772a698e9db9f3b58502a8201fed9b393d05040808d85cca0b7f82ac13ac2a0237
-
SSDEEP
12288:/C2UuagwQBLutty5lnLjJ072N+Je6pSW5+:6r7gwILOc5lnnJ0rJXV5
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-502485035088648045\winmgr.exe = "C:\\Users\\Admin\\M-502485035088648045\\winmgr.exe:*:Enabled:Microsoft Windows Manager" 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe -
Executes dropped EXE 1 IoCs
Processes:
winmgr.exepid process 4036 winmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-502485035088648045\\winmgr.exe" 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exedescription pid process target process PID 4564 wrote to memory of 4036 4564 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe winmgr.exe PID 4564 wrote to memory of 4036 4564 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe winmgr.exe PID 4564 wrote to memory of 4036 4564 9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe winmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe"C:\Users\Admin\AppData\Local\Temp\9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe"1⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\M-502485035088648045\winmgr.exeC:\Users\Admin\M-502485035088648045\winmgr.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\M-502485035088648045\winmgr.exeFilesize
416KB
MD530b8bd459b5abcf9d67aca1aa55cefe5
SHA14d740587ec2d6b644b5c4be1fa60efceb39154d3
SHA2569467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9
SHA51239b06b09e5610b6b04415b69cfa4661ffdf37b11d10e3d692f8658b79f13d7772a698e9db9f3b58502a8201fed9b393d05040808d85cca0b7f82ac13ac2a0237
-
C:\Users\Admin\M-502485035088648045\winmgr.exeFilesize
416KB
MD530b8bd459b5abcf9d67aca1aa55cefe5
SHA14d740587ec2d6b644b5c4be1fa60efceb39154d3
SHA2569467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9
SHA51239b06b09e5610b6b04415b69cfa4661ffdf37b11d10e3d692f8658b79f13d7772a698e9db9f3b58502a8201fed9b393d05040808d85cca0b7f82ac13ac2a0237
-
memory/4036-133-0x0000000000000000-mapping.dmp
-
memory/4036-136-0x0000000000BA0000-0x0000000000BA5000-memory.dmpFilesize
20KB
-
memory/4564-132-0x0000000001210000-0x0000000001215000-memory.dmpFilesize
20KB