Analysis
-
max time kernel
188s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe
Resource
win10v2004-20221111-en
General
-
Target
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe
-
Size
583KB
-
MD5
3ed425ec45a4098df4bb68b8dacfe963
-
SHA1
2b2261e7b9efc30f2d3e7c69fe7011309f478ade
-
SHA256
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d
-
SHA512
a51f83a98ebd7ce01b6af3f241cc91d9b832c676001eec6e1a5d8958a05d8d393a80a329b91e044f530fe7b5dd7cb3c9c5b223a083110fedf3deea2d7ac35abd
-
SSDEEP
12288:ff3V1zIQ0XoeZCMT7ar16I5/elWQ96y1uKsQk84Bqj6deP7H:ffVKVXozM6xvJK96y1YVcPT
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-507975836687766499060\winsvc.exe = "C:\\Users\\Admin\\M-507975836687766499060\\winsvc.exe:*:Enabled:Microsoft Windows Update" af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe -
Executes dropped EXE 2 IoCs
Processes:
winsvc.exewinsvc.exepid process 1028 winsvc.exe 448 winsvc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\ af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update = "C:\\Users\\Admin\\M-507975836687766499060\\winsvc.exe" af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exewinsvc.exedescription pid process target process PID 1424 set thread context of 1816 1424 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe PID 1028 set thread context of 448 1028 winsvc.exe winsvc.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exewinsvc.exepid process 1424 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe 1424 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe 1028 winsvc.exe 1028 winsvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exeaf63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exewinsvc.exedescription pid process target process PID 1424 wrote to memory of 1816 1424 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe PID 1424 wrote to memory of 1816 1424 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe PID 1424 wrote to memory of 1816 1424 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe PID 1816 wrote to memory of 1028 1816 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe winsvc.exe PID 1816 wrote to memory of 1028 1816 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe winsvc.exe PID 1816 wrote to memory of 1028 1816 af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe winsvc.exe PID 1028 wrote to memory of 448 1028 winsvc.exe winsvc.exe PID 1028 wrote to memory of 448 1028 winsvc.exe winsvc.exe PID 1028 wrote to memory of 448 1028 winsvc.exe winsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe"C:\Users\Admin\AppData\Local\Temp\af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe"C:\Users\Admin\AppData\Local\Temp\af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d.exe"2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\M-507975836687766499060\winsvc.exeC:\Users\Admin\M-507975836687766499060\winsvc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\M-507975836687766499060\winsvc.exeC:\Users\Admin\M-507975836687766499060\winsvc.exe4⤵
- Executes dropped EXE
PID:448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\M-507975836687766499060\winsvc.exeFilesize
583KB
MD53ed425ec45a4098df4bb68b8dacfe963
SHA12b2261e7b9efc30f2d3e7c69fe7011309f478ade
SHA256af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d
SHA512a51f83a98ebd7ce01b6af3f241cc91d9b832c676001eec6e1a5d8958a05d8d393a80a329b91e044f530fe7b5dd7cb3c9c5b223a083110fedf3deea2d7ac35abd
-
C:\Users\Admin\M-507975836687766499060\winsvc.exeFilesize
583KB
MD53ed425ec45a4098df4bb68b8dacfe963
SHA12b2261e7b9efc30f2d3e7c69fe7011309f478ade
SHA256af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d
SHA512a51f83a98ebd7ce01b6af3f241cc91d9b832c676001eec6e1a5d8958a05d8d393a80a329b91e044f530fe7b5dd7cb3c9c5b223a083110fedf3deea2d7ac35abd
-
C:\Users\Admin\M-507975836687766499060\winsvc.exeFilesize
583KB
MD53ed425ec45a4098df4bb68b8dacfe963
SHA12b2261e7b9efc30f2d3e7c69fe7011309f478ade
SHA256af63cae36e18e2f5aaabaa8e9f31ace039059d4853cf14cae6694099ee513d9d
SHA512a51f83a98ebd7ce01b6af3f241cc91d9b832c676001eec6e1a5d8958a05d8d393a80a329b91e044f530fe7b5dd7cb3c9c5b223a083110fedf3deea2d7ac35abd
-
memory/448-137-0x0000000000000000-mapping.dmp
-
memory/448-139-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1028-134-0x0000000000000000-mapping.dmp
-
memory/1816-132-0x0000000000000000-mapping.dmp
-
memory/1816-133-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB