Analysis
-
max time kernel
151s -
max time network
216s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 22:31
Static task
static1
Behavioral task
behavioral1
Sample
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe
Resource
win10v2004-20220812-en
General
-
Target
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe
-
Size
878KB
-
MD5
474144535ccb04b454b19991e2e3f539
-
SHA1
99cfa6fb38e203c41f36ba36ee71e941025a4f10
-
SHA256
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c
-
SHA512
9848c753d4d9a4b09cbf94e45d1358362dec8b504cadac5885038b4d467b37ec860378348525250c8cab9d3f03e917aae242b7c45f7324c07d41294bc1e6aec2
-
SSDEEP
12288:NB1xhXJxtxC5E5oPmGUgzO6xWVbVyaRG1V8VFDt:NnzvTC5D+GIbVnRGYD
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-5078860724647675945\winmgr.exe = "C:\\Users\\Admin\\M-5078860724647675945\\winmgr.exe:*:Enabled:Microsoft Windows Manager" 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe -
Executes dropped EXE 2 IoCs
Processes:
winmgr.exewinmgr.exepid process 1840 winmgr.exe 1324 winmgr.exe -
Loads dropped DLL 2 IoCs
Processes:
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exepid process 2024 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 2024 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-5078860724647675945\\winmgr.exe" 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exewinmgr.exedescription pid process target process PID 1352 set thread context of 2024 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe PID 1840 set thread context of 1324 1840 winmgr.exe winmgr.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exewinmgr.exepid process 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 1840 winmgr.exe 1840 winmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exewinmgr.exedescription pid process target process PID 1352 wrote to memory of 2024 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe PID 1352 wrote to memory of 2024 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe PID 1352 wrote to memory of 2024 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe PID 1352 wrote to memory of 2024 1352 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe PID 2024 wrote to memory of 1840 2024 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe winmgr.exe PID 2024 wrote to memory of 1840 2024 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe winmgr.exe PID 2024 wrote to memory of 1840 2024 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe winmgr.exe PID 2024 wrote to memory of 1840 2024 8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe winmgr.exe PID 1840 wrote to memory of 1324 1840 winmgr.exe winmgr.exe PID 1840 wrote to memory of 1324 1840 winmgr.exe winmgr.exe PID 1840 wrote to memory of 1324 1840 winmgr.exe winmgr.exe PID 1840 wrote to memory of 1324 1840 winmgr.exe winmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe"C:\Users\Admin\AppData\Local\Temp\8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe"C:\Users\Admin\AppData\Local\Temp\8c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c.exe"2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\M-5078860724647675945\winmgr.exeC:\Users\Admin\M-5078860724647675945\winmgr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\M-5078860724647675945\winmgr.exeC:\Users\Admin\M-5078860724647675945\winmgr.exe4⤵
- Executes dropped EXE
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\M-5078860724647675945\winmgr.exeFilesize
878KB
MD5474144535ccb04b454b19991e2e3f539
SHA199cfa6fb38e203c41f36ba36ee71e941025a4f10
SHA2568c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c
SHA5129848c753d4d9a4b09cbf94e45d1358362dec8b504cadac5885038b4d467b37ec860378348525250c8cab9d3f03e917aae242b7c45f7324c07d41294bc1e6aec2
-
C:\Users\Admin\M-5078860724647675945\winmgr.exeFilesize
878KB
MD5474144535ccb04b454b19991e2e3f539
SHA199cfa6fb38e203c41f36ba36ee71e941025a4f10
SHA2568c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c
SHA5129848c753d4d9a4b09cbf94e45d1358362dec8b504cadac5885038b4d467b37ec860378348525250c8cab9d3f03e917aae242b7c45f7324c07d41294bc1e6aec2
-
C:\Users\Admin\M-5078860724647675945\winmgr.exeFilesize
878KB
MD5474144535ccb04b454b19991e2e3f539
SHA199cfa6fb38e203c41f36ba36ee71e941025a4f10
SHA2568c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c
SHA5129848c753d4d9a4b09cbf94e45d1358362dec8b504cadac5885038b4d467b37ec860378348525250c8cab9d3f03e917aae242b7c45f7324c07d41294bc1e6aec2
-
\Users\Admin\M-5078860724647675945\winmgr.exeFilesize
878KB
MD5474144535ccb04b454b19991e2e3f539
SHA199cfa6fb38e203c41f36ba36ee71e941025a4f10
SHA2568c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c
SHA5129848c753d4d9a4b09cbf94e45d1358362dec8b504cadac5885038b4d467b37ec860378348525250c8cab9d3f03e917aae242b7c45f7324c07d41294bc1e6aec2
-
\Users\Admin\M-5078860724647675945\winmgr.exeFilesize
878KB
MD5474144535ccb04b454b19991e2e3f539
SHA199cfa6fb38e203c41f36ba36ee71e941025a4f10
SHA2568c150909fa61c76f9a3ecb90934425f1b5c14c40805c535e627f0c315ec8e00c
SHA5129848c753d4d9a4b09cbf94e45d1358362dec8b504cadac5885038b4d467b37ec860378348525250c8cab9d3f03e917aae242b7c45f7324c07d41294bc1e6aec2
-
memory/1324-64-0x00000000004038B0-mapping.dmp
-
memory/1352-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1840-60-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x00000000004038B0-mapping.dmp
-
memory/2024-57-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB