9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9

Analysis

max time kernel
186s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Size

416KB
MD5

30b8bd459b5abcf9d67aca1aa55cefe5
SHA1

4d740587ec2d6b644b5c4be1fa60efceb39154d3
SHA256

9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9
SHA512

39b06b09e5610b6b04415b69cfa4661ffdf37b11d10e3d692f8658b79f13d7772a698e9db9f3b58502a8201fed9b393d05040808d85cca0b7f82ac13ac2a0237
SSDEEP

12288:/C2UuagwQBLutty5lnLjJ072N+Je6pSW5+:6r7gwILOc5lnnJ0rJXV5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-502485035088648045\winmgr.exe = "C:\\Users\\Admin\\M-502485035088648045\\winmgr.exe:*:Enabled:Microsoft Windows Manager"	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe

Executes dropped EXE 1 IoCs

Processes:

winmgr.exe

pid process

4036 winmgr.exe

pid	process
4036	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-502485035088648045\\winmgr.exe"	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe

description	pid	process	target process
PID 4564 wrote to memory of 4036	4564	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe	winmgr.exe
PID 4564 wrote to memory of 4036	4564	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe	winmgr.exe
PID 4564 wrote to memory of 4036	4564	9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe	winmgr.exe

C:\Users\Admin\AppData\Local\Temp\9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe
"C:\Users\Admin\AppData\Local\Temp\9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9.exe"
1⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\M-502485035088648045\winmgr.exe
C:\Users\Admin\M-502485035088648045\winmgr.exe
2⤵
- Executes dropped EXE
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M-502485035088648045\winmgr.exe
Filesize
416KB

MD5
30b8bd459b5abcf9d67aca1aa55cefe5

SHA1
4d740587ec2d6b644b5c4be1fa60efceb39154d3

SHA256
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9

SHA512
39b06b09e5610b6b04415b69cfa4661ffdf37b11d10e3d692f8658b79f13d7772a698e9db9f3b58502a8201fed9b393d05040808d85cca0b7f82ac13ac2a0237

Download Submit
C:\Users\Admin\M-502485035088648045\winmgr.exe
Filesize
416KB

MD5
30b8bd459b5abcf9d67aca1aa55cefe5

SHA1
4d740587ec2d6b644b5c4be1fa60efceb39154d3

SHA256
9467240e933c19bf22b30a22554ca89d6cd991f3a69569783c4b9cda4cb978f9

SHA512
39b06b09e5610b6b04415b69cfa4661ffdf37b11d10e3d692f8658b79f13d7772a698e9db9f3b58502a8201fed9b393d05040808d85cca0b7f82ac13ac2a0237

Download Submit
memory/4036-133-0x0000000000000000-mapping.dmp

Download
memory/4036-136-0x0000000000BA0000-0x0000000000BA5000-memory.dmp

Filesize
20KB

Download
memory/4564-132-0x0000000001210000-0x0000000001215000-memory.dmp

Filesize
20KB

Download