Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:39
Static task
static1
Behavioral task
behavioral1
Sample
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Resource
win10v2004-20220812-en
General
-
Target
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
-
Size
122KB
-
MD5
f5fca738eeb91bd105322677162325a9
-
SHA1
8872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
-
SHA256
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
-
SHA512
e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
SSDEEP
3072:WLD+1ReXDsoUfWBeDhzgzz5MYh/6srzGRLH:WLD1DsoUfceDhzgzJ/6sK
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-52849205209409204980245\winmgr.exe = "C:\\Users\\Admin\\M-52849205209409204980245\\winmgr.exe:*:Enabled:Microsoft Windows Manager" 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe -
Executes dropped EXE 2 IoCs
Processes:
winmgr.exewinmgr.exepid process 5112 winmgr.exe 4736 winmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-52849205209409204980245\\winmgr.exe" 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exedescription pid process target process PID 3480 set thread context of 4476 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 5112 set thread context of 4736 5112 winmgr.exe winmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exepid process 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 5112 winmgr.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exepid process 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 5112 winmgr.exe 5112 winmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exedescription pid process target process PID 3480 wrote to memory of 4476 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 3480 wrote to memory of 4476 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 3480 wrote to memory of 4476 3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe PID 4476 wrote to memory of 5112 4476 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 4476 wrote to memory of 5112 4476 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 4476 wrote to memory of 5112 4476 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe winmgr.exe PID 5112 wrote to memory of 4736 5112 winmgr.exe winmgr.exe PID 5112 wrote to memory of 4736 5112 winmgr.exe winmgr.exe PID 5112 wrote to memory of 4736 5112 winmgr.exe winmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\M-52849205209409204980245\winmgr.exeC:\Users\Admin\M-52849205209409204980245\winmgr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\M-52849205209409204980245\winmgr.exeC:\Users\Admin\M-52849205209409204980245\winmgr.exe4⤵
- Executes dropped EXE
PID:4736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\M-52849205209409204980245\winmgr.exeFilesize
122KB
MD5f5fca738eeb91bd105322677162325a9
SHA18872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA2562811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
C:\Users\Admin\M-52849205209409204980245\winmgr.exeFilesize
122KB
MD5f5fca738eeb91bd105322677162325a9
SHA18872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA2562811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
C:\Users\Admin\M-52849205209409204980245\winmgr.exeFilesize
122KB
MD5f5fca738eeb91bd105322677162325a9
SHA18872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA2562811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
-
memory/4476-132-0x0000000000000000-mapping.dmp
-
memory/4476-133-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4736-137-0x0000000000000000-mapping.dmp
-
memory/4736-139-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/5112-134-0x0000000000000000-mapping.dmp