e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Size

448KB
MD5

8dd140f05c4a2455b761e4ce345f06f3
SHA1

9a1f3a3780ebbdd6c2090c41250e690ffef24e45
SHA256

e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7
SHA512

691148b9cb5df3cd19d7b03c4adaa8aeae88ad0af10a4dc5f4411414074fa967c2d8a908be398fb4310219528611ac1698711dc524eb223bfd04a14e2d4742fc
SSDEEP

6144:gary7GJaw2T4Hb4I2HIEi+nPHawBnN/sRm+Vmj1d2tvkUTWFnHR1/ZN2F/:xy7GJaXTC4IsjkvK1gtvkUTWFnH//ZNW

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\locsrv.exe = "C:\\Users\\Admin\\AppData\\Roaming\\locsrv.exe:*:Enabled:Windows Messanger"	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2068	reg.exe
508	reg.exe
4900	reg.exe
4768	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreateTokenPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeAssignPrimaryTokenPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeLockMemoryPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeIncreaseQuotaPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeMachineAccountPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeTcbPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSecurityPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeTakeOwnershipPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeLoadDriverPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSystemProfilePrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSystemtimePrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeProfSingleProcessPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeIncBasePriorityPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreatePagefilePrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreatePermanentPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeBackupPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeRestorePrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeShutdownPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeDebugPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeAuditPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSystemEnvironmentPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeChangeNotifyPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeRemoteShutdownPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeUndockPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeSyncAgentPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeEnableDelegationPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeManageVolumePrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeImpersonatePrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: SeCreateGlobalPrivilege	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 31	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 32	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 33	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 34	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
Token: 35	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 2180	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	83
PID 3136 wrote to memory of 2180	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	83
PID 3136 wrote to memory of 2180	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	83
PID 3136 wrote to memory of 3356	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	84
PID 3136 wrote to memory of 3356	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	84
PID 3136 wrote to memory of 3356	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	84
PID 3136 wrote to memory of 4892	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	85
PID 3136 wrote to memory of 4892	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	85
PID 3136 wrote to memory of 4892	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	85
PID 3136 wrote to memory of 4840	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	88
PID 3136 wrote to memory of 4840	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	88
PID 3136 wrote to memory of 4840	3136	e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe	88
PID 4840 wrote to memory of 4900	4840	cmd.exe	93
PID 4840 wrote to memory of 4900	4840	cmd.exe	93
PID 4840 wrote to memory of 4900	4840	cmd.exe	93
PID 2180 wrote to memory of 4768	2180	cmd.exe	94
PID 2180 wrote to memory of 4768	2180	cmd.exe	94
PID 2180 wrote to memory of 4768	2180	cmd.exe	94
PID 3356 wrote to memory of 508	3356	cmd.exe	92
PID 3356 wrote to memory of 508	3356	cmd.exe	92
PID 3356 wrote to memory of 508	3356	cmd.exe	92
PID 4892 wrote to memory of 2068	4892	cmd.exe	91
PID 4892 wrote to memory of 2068	4892	cmd.exe	91
PID 4892 wrote to memory of 2068	4892	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe
"C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e79e76cfc749b0b606e3345a351e1a2aa82c863131d7a08deea5faf2ba3fe6e7.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\locsrv.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\locsrv.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\locsrv.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\locsrv.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads