2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814

General

Target

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Size

122KB
MD5

f5fca738eeb91bd105322677162325a9
SHA1

8872b7fe0bd05e390ee70fb2f4c74c875ad07e4a
SHA256

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814
SHA512

e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd
SSDEEP

3072:WLD+1ReXDsoUfWBeDhzgzz5MYh/6srzGRLH:WLD1DsoUfceDhzgzJ/6sK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-52849205209409204980245\winmgr.exe = "C:\\Users\\Admin\\M-52849205209409204980245\\winmgr.exe:*:Enabled:Microsoft Windows Manager"	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe

Executes dropped EXE 2 IoCs

Processes:

winmgr.exewinmgr.exe

pid process

5112 winmgr.exe
4736 winmgr.exe

pid	process
5112	winmgr.exe
4736	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-52849205209409204980245\\winmgr.exe"	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exe

description	pid	process	target process
PID 3480 set thread context of 4476	3480	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
PID 5112 set thread context of 4736	5112	winmgr.exe	winmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exe

pid process

3480 2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
5112 winmgr.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exe

pid	process
3480	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
3480	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
5112	winmgr.exe
5112	winmgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exewinmgr.exe

description	pid	process	target process
PID 3480 wrote to memory of 4476	3480	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
PID 3480 wrote to memory of 4476	3480	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
PID 3480 wrote to memory of 4476	3480	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
PID 4476 wrote to memory of 5112	4476	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	winmgr.exe
PID 4476 wrote to memory of 5112	4476	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	winmgr.exe
PID 4476 wrote to memory of 5112	4476	2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe	winmgr.exe
PID 5112 wrote to memory of 4736	5112	winmgr.exe	winmgr.exe
PID 5112 wrote to memory of 4736	5112	winmgr.exe	winmgr.exe
PID 5112 wrote to memory of 4736	5112	winmgr.exe	winmgr.exe

C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
"C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe
"C:\Users\Admin\AppData\Local\Temp\2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814.exe"
2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\M-52849205209409204980245\winmgr.exe
C:\Users\Admin\M-52849205209409204980245\winmgr.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\M-52849205209409204980245\winmgr.exe
C:\Users\Admin\M-52849205209409204980245\winmgr.exe
4⤵
- Executes dropped EXE
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M-52849205209409204980245\winmgr.exe
Filesize
122KB

MD5
f5fca738eeb91bd105322677162325a9

SHA1
8872b7fe0bd05e390ee70fb2f4c74c875ad07e4a

SHA256
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814

SHA512
e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd

Download Submit
C:\Users\Admin\M-52849205209409204980245\winmgr.exe
Filesize
122KB

MD5
f5fca738eeb91bd105322677162325a9

SHA1
8872b7fe0bd05e390ee70fb2f4c74c875ad07e4a

SHA256
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814

SHA512
e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd

Download Submit
C:\Users\Admin\M-52849205209409204980245\winmgr.exe
Filesize
122KB

MD5
f5fca738eeb91bd105322677162325a9

SHA1
8872b7fe0bd05e390ee70fb2f4c74c875ad07e4a

SHA256
2811ebd416aa6057f0acd63980eb81452fc04d57901d2bb71f1f54b67d606814

SHA512
e8d2ecb37b95b813a3ba368e3706199751c74851e8fec5a3f3cd89ea4b5bb7de4619614af05438bbdd7f0237804d3dfd62df8e9290ade4c6b3f1b331052031dd

Download Submit
memory/4476-132-0x0000000000000000-mapping.dmp

Download
memory/4476-133-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4736-137-0x0000000000000000-mapping.dmp

Download
memory/4736-139-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5112-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads