f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725

General

Target

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Size

560KB
MD5

64f82b9173cd9db3756fcbb0207ec356
SHA1

53419f0f85640e1a40dfdb724ae6e78e7df9fd6b
SHA256

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725
SHA512

b18aaf19b1851b94c6f9c03c4a3cd66ae3fb005c1941dfd181b799f965c4d262c35c60ba3e3004704a73dada201d3bf2c2b0e39fcff7c0b574eef8710bc4427d
SSDEEP

12288:9Uo991Egcc0U6PINcTVDBb6rGkcXMK1wF9cSQDbi:9UoP1Egcc0RIN7rAM5F9cSQDb

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{FB6DFECC-DEDB-3FD5-FB01-AE2BDCCB58D5}	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{FB6DFECC-DEDB-3FD5-FB01-AE2BDCCB58D5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB6DFECC-DEDB-3FD5-FB01-AE2BDCCB58D5}	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB6DFECC-DEDB-3FD5-FB01-AE2BDCCB58D5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exef9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description	pid	process	target process
PID 1504 set thread context of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 set thread context of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1232 reg.exe
220 reg.exe
320 reg.exe
116 reg.exe

pid	process
1232	reg.exe
220	reg.exe
320	reg.exe
116	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

description	pid	process
Token: 1	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeCreateTokenPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeAssignPrimaryTokenPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeLockMemoryPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeIncreaseQuotaPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeMachineAccountPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeTcbPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeSecurityPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeTakeOwnershipPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeLoadDriverPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeSystemProfilePrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeSystemtimePrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeProfSingleProcessPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeIncBasePriorityPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeCreatePagefilePrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeCreatePermanentPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeBackupPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeRestorePrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeShutdownPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeDebugPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeAuditPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeSystemEnvironmentPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeChangeNotifyPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeRemoteShutdownPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeUndockPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeSyncAgentPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeEnableDelegationPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeManageVolumePrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeImpersonatePrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeCreateGlobalPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: 31	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: 32	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: 33	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: 34	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: 35	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
Token: SeDebugPrivilege	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exef9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exef9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

pid	process
1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exef9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exef9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1504 wrote to memory of 4920	1504	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 4920 wrote to memory of 1880	4920	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
PID 1880 wrote to memory of 2292	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 2292	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 2292	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 5024	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 5024	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 5024	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 5052	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 5052	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 5052	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 1580	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 1580	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1880 wrote to memory of 1580	1880	f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe	cmd.exe
PID 1580 wrote to memory of 116	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 116	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 116	1580	cmd.exe	reg.exe
PID 5024 wrote to memory of 220	5024	cmd.exe	reg.exe
PID 5024 wrote to memory of 220	5024	cmd.exe	reg.exe
PID 5024 wrote to memory of 220	5024	cmd.exe	reg.exe
PID 2292 wrote to memory of 1232	2292	cmd.exe	reg.exe
PID 2292 wrote to memory of 1232	2292	cmd.exe	reg.exe
PID 2292 wrote to memory of 1232	2292	cmd.exe	reg.exe
PID 5052 wrote to memory of 320	5052	cmd.exe	reg.exe
PID 5052 wrote to memory of 320	5052	cmd.exe	reg.exe
PID 5052 wrote to memory of 320	5052	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
"C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
"C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe
"C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f9f6a342949866e404ca538b4e1b142970f4ff6e235044632be7a2ea59eaa725.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:220

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-152-0x0000000000000000-mapping.dmp

Download
memory/220-153-0x0000000000000000-mapping.dmp

Download
memory/320-155-0x0000000000000000-mapping.dmp

Download
memory/1232-154-0x0000000000000000-mapping.dmp

Download
memory/1580-151-0x0000000000000000-mapping.dmp

Download
memory/1880-147-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1880-146-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1880-140-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1880-139-0x0000000000000000-mapping.dmp

Download
memory/2292-148-0x0000000000000000-mapping.dmp

Download
memory/4920-134-0x0000000000000000-mapping.dmp

Download
memory/4920-142-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4920-135-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5024-149-0x0000000000000000-mapping.dmp

Download
memory/5052-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads