c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa

General

Target

c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Size

606KB
MD5

5109fd9935de26b52fc6bdc2b96c4ff2
SHA1

963fb4f803b4875cfca0054c5076c178d8d28fe5
SHA256

c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa
SHA512

c686a7805ad15d6e58e2dcd83d4ef52e07447ef11a09d624b256400bd28718d2958e3f8e5b9c20fde1094631a862a8f56c6bd78b9864a7df6ae0df47a7049307
SSDEEP

12288:9VBNNiiaGdz+35g6OvGC2WhZEHwq1iKSdAQU46OXKC7y:1u5GAG6/C2s+Q6Qv6Nj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\M-50507564324649683503740\winsvc.exe = "C:\\Windows\\M-50507564324649683503740\\winsvc.exe:*:Enabled:Microsoft Windows Service"	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe

Executes dropped EXE 2 IoCs

pid	Process
3612	winsvc.exe
1928	winsvc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Windows\\M-50507564324649683503740\\winsvc.exe"	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Windows\\M-50507564324649683503740\\winsvc.exe"	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 3620	5060	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	80
PID 3612 set thread context of 1928	3612	winsvc.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\M-50507564324649683503740\winsvc.exe	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
File opened for modification	C:\Windows\M-50507564324649683503740\winsvc.exe	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
File opened for modification	C:\Windows\M-50507564324649683503740	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5060	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
5060	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
3612	winsvc.exe
3612	winsvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3620	5060	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	80
PID 5060 wrote to memory of 3620	5060	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	80
PID 5060 wrote to memory of 3620	5060	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	80
PID 3620 wrote to memory of 3612	3620	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	81
PID 3620 wrote to memory of 3612	3620	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	81
PID 3620 wrote to memory of 3612	3620	c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe	81
PID 3612 wrote to memory of 1928	3612	winsvc.exe	84
PID 3612 wrote to memory of 1928	3612	winsvc.exe	84
PID 3612 wrote to memory of 1928	3612	winsvc.exe	84

C:\Users\Admin\AppData\Local\Temp\c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
"C:\Users\Admin\AppData\Local\Temp\c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe
  "C:\Users\Admin\AppData\Local\Temp\c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\M-50507564324649683503740\winsvc.exe
    C:\Windows\M-50507564324649683503740\winsvc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\M-50507564324649683503740\winsvc.exe
      C:\Windows\M-50507564324649683503740\winsvc.exe
      4⤵
      Executes dropped EXE
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\M-50507564324649683503740\winsvc.exe

Filesize
606KB

MD5
5109fd9935de26b52fc6bdc2b96c4ff2

SHA1
963fb4f803b4875cfca0054c5076c178d8d28fe5

SHA256
c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa

SHA512
c686a7805ad15d6e58e2dcd83d4ef52e07447ef11a09d624b256400bd28718d2958e3f8e5b9c20fde1094631a862a8f56c6bd78b9864a7df6ae0df47a7049307

Download Submit
C:\Windows\M-50507564324649683503740\winsvc.exe

Filesize
606KB

MD5
5109fd9935de26b52fc6bdc2b96c4ff2

SHA1
963fb4f803b4875cfca0054c5076c178d8d28fe5

SHA256
c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa

SHA512
c686a7805ad15d6e58e2dcd83d4ef52e07447ef11a09d624b256400bd28718d2958e3f8e5b9c20fde1094631a862a8f56c6bd78b9864a7df6ae0df47a7049307

Download Submit
C:\Windows\M-50507564324649683503740\winsvc.exe

Filesize
606KB

MD5
5109fd9935de26b52fc6bdc2b96c4ff2

SHA1
963fb4f803b4875cfca0054c5076c178d8d28fe5

SHA256
c08e739264052466cf4ab1e22b891ba551f6f0f1abe62503687721ff8e1345fa

SHA512
c686a7805ad15d6e58e2dcd83d4ef52e07447ef11a09d624b256400bd28718d2958e3f8e5b9c20fde1094631a862a8f56c6bd78b9864a7df6ae0df47a7049307

Download Submit
memory/1928-140-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3620-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5060-133-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads