e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Size

448KB
MD5

8dd140f05c4a2455b761e4ce345f06f3
SHA1

9a1f3a3780ebbdd6c2090c41250e690ffef24e45
SHA256

e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7
SHA512

691148b9cb5df3cd19d7b03c4adaa8aeae88ad0af10a4dc5f4411414074fa967c2d8a908be398fb4310219528611ac1698711dc524eb223bfd04a14e2d4742fc
SSDEEP

6144:gary7GJaw2T4Hb4I2HIEi+nPHawBnN/sRm+Vmj1d2tvkUTWFnHR1/ZN2F/:xy7GJaXTC4IsjkvK1gtvkUTWFnH//ZNW

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\locsrv.exe = "C:\\Users\\Admin\\AppData\\Roaming\\locsrv.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1756	reg.exe
680	reg.exe
1716	reg.exe
1736	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreateTokenPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeAssignPrimaryTokenPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeLockMemoryPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeIncreaseQuotaPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeMachineAccountPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeTcbPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSecurityPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeTakeOwnershipPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeLoadDriverPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSystemProfilePrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSystemtimePrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeProfSingleProcessPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeIncBasePriorityPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreatePagefilePrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreatePermanentPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeBackupPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeRestorePrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeShutdownPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeDebugPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeAuditPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSystemEnvironmentPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeChangeNotifyPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeRemoteShutdownPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeUndockPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSyncAgentPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeEnableDelegationPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeManageVolumePrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeImpersonatePrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreateGlobalPrivilege	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 31	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 32	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 33	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 34	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 35	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1932	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	26
PID 1376 wrote to memory of 1932	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	26
PID 1376 wrote to memory of 1932	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	26
PID 1376 wrote to memory of 1932	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	26
PID 1376 wrote to memory of 1948	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	27
PID 1376 wrote to memory of 1948	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	27
PID 1376 wrote to memory of 1948	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	27
PID 1376 wrote to memory of 1948	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	27
PID 1376 wrote to memory of 944	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	29
PID 1376 wrote to memory of 944	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	29
PID 1376 wrote to memory of 944	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	29
PID 1376 wrote to memory of 944	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	29
PID 1376 wrote to memory of 320	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	31
PID 1376 wrote to memory of 320	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	31
PID 1376 wrote to memory of 320	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	31
PID 1376 wrote to memory of 320	1376	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	31
PID 1932 wrote to memory of 1716	1932	cmd.exe	36
PID 1932 wrote to memory of 1716	1932	cmd.exe	36
PID 1932 wrote to memory of 1716	1932	cmd.exe	36
PID 1932 wrote to memory of 1716	1932	cmd.exe	36
PID 1948 wrote to memory of 680	1948	cmd.exe	35
PID 1948 wrote to memory of 680	1948	cmd.exe	35
PID 1948 wrote to memory of 680	1948	cmd.exe	35
PID 1948 wrote to memory of 680	1948	cmd.exe	35
PID 944 wrote to memory of 1756	944	cmd.exe	34
PID 944 wrote to memory of 1756	944	cmd.exe	34
PID 944 wrote to memory of 1756	944	cmd.exe	34
PID 944 wrote to memory of 1756	944	cmd.exe	34
PID 320 wrote to memory of 1736	320	cmd.exe	37
PID 320 wrote to memory of 1736	320	cmd.exe	37
PID 320 wrote to memory of 1736	320	cmd.exe	37
PID 320 wrote to memory of 1736	320	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
"C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\locsrv.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\locsrv.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\locsrv.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\locsrv.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-57-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads