6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

Analysis

max time kernel
152s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
Size

238KB
MD5

f8715f5098e39d13fa1bfe96fbe3cd0b
SHA1

2bd80a2518ae9e8bb889cfa56310171920532a95
SHA256

6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df
SHA512

6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b
SSDEEP

6144:BwvISTVRlLhA6AOEJUTigG2PqNbFRgsqCqyhbbFDlv6b:BwvHTVy6AOE/gVCblts

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe = "C:\\Users\\Admin\\AppData\\Roaming\\%$User_Profile%\\SERV.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	authz.exe
3696	BioCredProv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/852-135-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/852-137-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/852-138-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/852-139-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	authz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Authorization Framework = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\authz.exe"	authz.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 3696 set thread context of 2464	3696	BioCredProv.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2452	reg.exe
1908	reg.exe
3092	reg.exe
4780	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
2000	authz.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
Token: 1	852	AppLaunch.exe
Token: SeCreateTokenPrivilege	852	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	852	AppLaunch.exe
Token: SeLockMemoryPrivilege	852	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	852	AppLaunch.exe
Token: SeMachineAccountPrivilege	852	AppLaunch.exe
Token: SeTcbPrivilege	852	AppLaunch.exe
Token: SeSecurityPrivilege	852	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	852	AppLaunch.exe
Token: SeLoadDriverPrivilege	852	AppLaunch.exe
Token: SeSystemProfilePrivilege	852	AppLaunch.exe
Token: SeSystemtimePrivilege	852	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	852	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	852	AppLaunch.exe
Token: SeCreatePagefilePrivilege	852	AppLaunch.exe
Token: SeCreatePermanentPrivilege	852	AppLaunch.exe
Token: SeBackupPrivilege	852	AppLaunch.exe
Token: SeRestorePrivilege	852	AppLaunch.exe
Token: SeShutdownPrivilege	852	AppLaunch.exe
Token: SeDebugPrivilege	852	AppLaunch.exe
Token: SeAuditPrivilege	852	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	852	AppLaunch.exe
Token: SeChangeNotifyPrivilege	852	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	852	AppLaunch.exe
Token: SeUndockPrivilege	852	AppLaunch.exe
Token: SeSyncAgentPrivilege	852	AppLaunch.exe
Token: SeEnableDelegationPrivilege	852	AppLaunch.exe
Token: SeManageVolumePrivilege	852	AppLaunch.exe
Token: SeImpersonatePrivilege	852	AppLaunch.exe
Token: SeCreateGlobalPrivilege	852	AppLaunch.exe
Token: 31	852	AppLaunch.exe
Token: 32	852	AppLaunch.exe
Token: 33	852	AppLaunch.exe
Token: 34	852	AppLaunch.exe
Token: 35	852	AppLaunch.exe
Token: SeDebugPrivilege	2000	authz.exe
Token: SeDebugPrivilege	3696	BioCredProv.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
852	AppLaunch.exe
852	AppLaunch.exe
852	AppLaunch.exe
852	AppLaunch.exe
2464	AppLaunch.exe
2464	AppLaunch.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 1292 wrote to memory of 852	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	87
PID 852 wrote to memory of 4424	852	AppLaunch.exe	88
PID 852 wrote to memory of 4424	852	AppLaunch.exe	88
PID 852 wrote to memory of 4424	852	AppLaunch.exe	88
PID 852 wrote to memory of 3632	852	AppLaunch.exe	89
PID 852 wrote to memory of 3632	852	AppLaunch.exe	89
PID 852 wrote to memory of 3632	852	AppLaunch.exe	89
PID 852 wrote to memory of 1840	852	AppLaunch.exe	94
PID 852 wrote to memory of 1840	852	AppLaunch.exe	94
PID 852 wrote to memory of 1840	852	AppLaunch.exe	94
PID 852 wrote to memory of 3728	852	AppLaunch.exe	93
PID 852 wrote to memory of 3728	852	AppLaunch.exe	93
PID 852 wrote to memory of 3728	852	AppLaunch.exe	93
PID 4424 wrote to memory of 2452	4424	cmd.exe	96
PID 4424 wrote to memory of 2452	4424	cmd.exe	96
PID 4424 wrote to memory of 2452	4424	cmd.exe	96
PID 3728 wrote to memory of 3092	3728	cmd.exe	98
PID 3728 wrote to memory of 3092	3728	cmd.exe	98
PID 3728 wrote to memory of 3092	3728	cmd.exe	98
PID 3632 wrote to memory of 1908	3632	cmd.exe	97
PID 3632 wrote to memory of 1908	3632	cmd.exe	97
PID 3632 wrote to memory of 1908	3632	cmd.exe	97
PID 1840 wrote to memory of 4780	1840	cmd.exe	99
PID 1840 wrote to memory of 4780	1840	cmd.exe	99
PID 1840 wrote to memory of 4780	1840	cmd.exe	99
PID 1292 wrote to memory of 2000	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	107
PID 1292 wrote to memory of 2000	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	107
PID 1292 wrote to memory of 2000	1292	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	107
PID 2000 wrote to memory of 3696	2000	authz.exe	108
PID 2000 wrote to memory of 3696	2000	authz.exe	108
PID 2000 wrote to memory of 3696	2000	authz.exe	108
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109
PID 3696 wrote to memory of 2464	3696	BioCredProv.exe	109

C:\Users\Admin\AppData\Local\Temp\6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
"C:\Users\Admin\AppData\Local\Temp\6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe
    "C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe

Filesize
238KB

MD5
f8715f5098e39d13fa1bfe96fbe3cd0b

SHA1
2bd80a2518ae9e8bb889cfa56310171920532a95

SHA256
6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

SHA512
6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe

Filesize
238KB

MD5
f8715f5098e39d13fa1bfe96fbe3cd0b

SHA1
2bd80a2518ae9e8bb889cfa56310171920532a95

SHA256
6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

SHA512
6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
memory/852-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/852-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/852-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/852-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/852-134-0x0000000000000000-mapping.dmp

Download
memory/1292-160-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1292-133-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1292-132-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1840-145-0x0000000000000000-mapping.dmp

Download
memory/1908-149-0x0000000000000000-mapping.dmp

Download
memory/2000-151-0x0000000000000000-mapping.dmp

Download
memory/2000-154-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2000-159-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2452-147-0x0000000000000000-mapping.dmp

Download
memory/2464-162-0x0000000000000000-mapping.dmp

Download
memory/3092-148-0x0000000000000000-mapping.dmp

Download
memory/3632-144-0x0000000000000000-mapping.dmp

Download
memory/3696-156-0x0000000000000000-mapping.dmp

Download
memory/3696-158-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/3696-161-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/3728-146-0x0000000000000000-mapping.dmp

Download
memory/4424-143-0x0000000000000000-mapping.dmp

Download
memory/4780-150-0x0000000000000000-mapping.dmp

Download