c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e

General

Target

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Size

603KB
MD5

5cf013ef70882cc594ff447051499bf2
SHA1

e1b94c03b9c62e8a4418987578c91d78bd18aa3e
SHA256

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e
SHA512

9094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052
SSDEEP

12288:aB1xhXJxtxC5E5oPmGUgzO6xWVbVkjZmf:anzvTC5D+GIbVJf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-9756843546575298504768808\winsvc.exe = "C:\\Users\\Admin\\M-9756843546575298504768808\\winsvc.exe:*:Enabled:Microsoft Windows Service"	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe

Executes dropped EXE 2 IoCs

Processes:

winsvc.exewinsvc.exe

pid process

4868 winsvc.exe
1812 winsvc.exe

pid	process
4868	winsvc.exe
1812	winsvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Users\\Admin\\M-9756843546575298504768808\\winsvc.exe"	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exewinsvc.exe

description	pid	process	target process
PID 5080 set thread context of 4908	5080	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
PID 4868 set thread context of 1812	4868	winsvc.exe	winsvc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exewinsvc.exe

pid	process
5080	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
5080	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
4868	winsvc.exe
4868	winsvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exec573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exewinsvc.exe

description	pid	process	target process
PID 5080 wrote to memory of 4908	5080	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
PID 5080 wrote to memory of 4908	5080	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
PID 5080 wrote to memory of 4908	5080	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
PID 4908 wrote to memory of 4868	4908	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	winsvc.exe
PID 4908 wrote to memory of 4868	4908	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	winsvc.exe
PID 4908 wrote to memory of 4868	4908	c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe	winsvc.exe
PID 4868 wrote to memory of 1812	4868	winsvc.exe	winsvc.exe
PID 4868 wrote to memory of 1812	4868	winsvc.exe	winsvc.exe
PID 4868 wrote to memory of 1812	4868	winsvc.exe	winsvc.exe

C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
"C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe
"C:\Users\Admin\AppData\Local\Temp\c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e.exe"
2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
4⤵
- Executes dropped EXE
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
Filesize
603KB

MD5
5cf013ef70882cc594ff447051499bf2

SHA1
e1b94c03b9c62e8a4418987578c91d78bd18aa3e

SHA256
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e

SHA512
9094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052

Download Submit
C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
Filesize
603KB

MD5
5cf013ef70882cc594ff447051499bf2

SHA1
e1b94c03b9c62e8a4418987578c91d78bd18aa3e

SHA256
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e

SHA512
9094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052

Download Submit
C:\Users\Admin\M-9756843546575298504768808\winsvc.exe
Filesize
603KB

MD5
5cf013ef70882cc594ff447051499bf2

SHA1
e1b94c03b9c62e8a4418987578c91d78bd18aa3e

SHA256
c573188faab87ae66ba854cab51a41b506b5c39059fa51b5c323c12d2094d74e

SHA512
9094bae226eedf742a573196f7a88ea6dfe93082f44147ec48b7f18b37cbb2f0b605ec9770ed6b3f00032ea63e9f821d6e3d7214a4223a72e45119a28f62b052

Download Submit
memory/1812-137-0x0000000000000000-mapping.dmp

Download
memory/1812-139-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4868-134-0x0000000000000000-mapping.dmp

Download
memory/4908-132-0x0000000000000000-mapping.dmp

Download
memory/4908-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads