Analysis
-
max time kernel
182s -
max time network
221s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:32
Static task
static1
Behavioral task
behavioral1
Sample
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Resource
win10v2004-20220812-en
General
-
Target
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
-
Size
603KB
-
MD5
5cf013ef70882cc594ff447051499bf2
-
SHA1
e1b94c03b9c62e8a4418987578c91d78bd18aa3e
-
SHA256
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
-
SHA512
9094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
-
SSDEEP
12288:aB1xhXJxtxC5E5oPmGUgzO6xWVbVkjZmf:anzvTC5D+GIbVJf
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-9756843546575298504768808\winsvc.exe = "C:\\Users\\Admin\\M-9756843546575298504768808\\winsvc.exe:*:Enabled:Microsoft Windows Service" c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe -
Executes dropped EXE 2 IoCs
Processes:
winsvc.exewinsvc.exepid process 1320 winsvc.exe 1736 winsvc.exe -
Loads dropped DLL 2 IoCs
Processes:
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exepid process 1584 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe 1584 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Users\\Admin\\M-9756843546575298504768808\\winsvc.exe" c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exewinsvc.exedescription pid process target process PID 1516 set thread context of 1584 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe PID 1320 set thread context of 1736 1320 winsvc.exe winsvc.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exewinsvc.exepid process 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe 1320 winsvc.exe 1320 winsvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exec573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exewinsvc.exedescription pid process target process PID 1516 wrote to memory of 1584 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe PID 1516 wrote to memory of 1584 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe PID 1516 wrote to memory of 1584 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe PID 1516 wrote to memory of 1584 1516 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe PID 1584 wrote to memory of 1320 1584 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe winsvc.exe PID 1584 wrote to memory of 1320 1584 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe winsvc.exe PID 1584 wrote to memory of 1320 1584 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe winsvc.exe PID 1584 wrote to memory of 1320 1584 c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe winsvc.exe PID 1320 wrote to memory of 1736 1320 winsvc.exe winsvc.exe PID 1320 wrote to memory of 1736 1320 winsvc.exe winsvc.exe PID 1320 wrote to memory of 1736 1320 winsvc.exe winsvc.exe PID 1320 wrote to memory of 1736 1320 winsvc.exe winsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe"C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe"C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe"2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\M-9756843546575298504768808\winsvc.exeC:\Users\Admin\M-9756843546575298504768808\winsvc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\M-9756843546575298504768808\winsvc.exeC:\Users\Admin\M-9756843546575298504768808\winsvc.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\M-9756843546575298504768808\winsvc.exeFilesize
603KB
MD55cf013ef70882cc594ff447051499bf2
SHA1e1b94c03b9c62e8a4418987578c91d78bd18aa3e
SHA256c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
SHA5129094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
-
C:\Users\Admin\M-9756843546575298504768808\winsvc.exeFilesize
603KB
MD55cf013ef70882cc594ff447051499bf2
SHA1e1b94c03b9c62e8a4418987578c91d78bd18aa3e
SHA256c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
SHA5129094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
-
C:\Users\Admin\M-9756843546575298504768808\winsvc.exeFilesize
603KB
MD55cf013ef70882cc594ff447051499bf2
SHA1e1b94c03b9c62e8a4418987578c91d78bd18aa3e
SHA256c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
SHA5129094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
-
\Users\Admin\M-9756843546575298504768808\winsvc.exeFilesize
603KB
MD55cf013ef70882cc594ff447051499bf2
SHA1e1b94c03b9c62e8a4418987578c91d78bd18aa3e
SHA256c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
SHA5129094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
-
\Users\Admin\M-9756843546575298504768808\winsvc.exeFilesize
603KB
MD55cf013ef70882cc594ff447051499bf2
SHA1e1b94c03b9c62e8a4418987578c91d78bd18aa3e
SHA256c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
SHA5129094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
-
memory/1320-59-0x0000000000000000-mapping.dmp
-
memory/1516-54-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/1584-55-0x00000000004074A0-mapping.dmp
-
memory/1584-61-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1736-64-0x00000000004074A0-mapping.dmp
-
memory/1736-67-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB