Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe
Resource
win10v2004-20220901-en
General
-
Target
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe
-
Size
544KB
-
MD5
e038a0d251bb672af6506aeb420f2388
-
SHA1
0f085d0385eb58fe0126cef171e3bfcfb2fd25bf
-
SHA256
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
-
SHA512
05ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
SSDEEP
12288:9R1cL/pzrkTj+3B6P0M4e5iVs3kkG6FD:X1ctzrk41pe5i0kkG6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
winfirewall.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\Windows Firewall\\winfirewall.exe\"" winfirewall.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winfirewall.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winfirewall.exe -
Executes dropped EXE 2 IoCs
Processes:
winfirewall.exewinfirewall.exepid process 2316 winfirewall.exe 4456 winfirewall.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winfirewall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winfirewall.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winfirewall.exe\DisableExceptionChainValidation winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe" winfirewall.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe -
Drops file in System32 directory 3 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe File opened for modification C:\Windows\SysWOW64\Windows Firewall\ 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe File created C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exedescription pid process target process PID 4252 set thread context of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 2316 set thread context of 4456 2316 winfirewall.exe winfirewall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exewinfirewall.exepid process 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2316 winfirewall.exe 2316 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe 4456 winfirewall.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winfirewall.exepid process 4456 winfirewall.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exepid process 1260 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exewinfirewall.exedescription pid process Token: SeDebugPrivilege 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe Token: SeDebugPrivilege 2316 winfirewall.exe Token: SeDebugPrivilege 4456 winfirewall.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winfirewall.exepid process 4456 winfirewall.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exedescription pid process target process PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 4252 wrote to memory of 1260 4252 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 1260 wrote to memory of 2316 1260 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 1260 wrote to memory of 2316 1260 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 1260 wrote to memory of 2316 1260 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe PID 2316 wrote to memory of 4456 2316 winfirewall.exe winfirewall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe"C:\Windows\system32\Windows Firewall\winfirewall.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe"C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
memory/1260-146-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/1260-133-0x0000000000000000-mapping.dmp
-
memory/1260-136-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/1260-148-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2316-137-0x0000000000000000-mapping.dmp
-
memory/2316-140-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2316-144-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4252-135-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4252-132-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4456-142-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4456-145-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4456-147-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/4456-141-0x0000000000000000-mapping.dmp