90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13

General

Target

90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe
Size

96KB
MD5

3000370fa1effe783decb42d7c3c351b
SHA1

9124d10677a3088d034f3af324e59209ca18fb2e
SHA256

90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13
SHA512

a579045cd145dcc3aa46121230acc1ca9f25843b89ed2540529c0e8e03dd69980fd6a3622ad846405bd427210a6684405e2f841f416d6ebe53556eeff399b25a
SSDEEP

768:k4fkA0QzOO0BliUpCPROqSchfIohTVqU/gf7DV9p0OnrykjAU+iciUo1o36K5zMl:k0TOO0BXCPROCw9Pw684BjwAKRCqLO9

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe:*:Enabled:Windows Messenger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 316 set thread context of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1480	reg.exe
944	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1908	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	27
PID 316 wrote to memory of 1908	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	27
PID 316 wrote to memory of 1908	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	27
PID 316 wrote to memory of 1908	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	27
PID 316 wrote to memory of 1896	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	29
PID 316 wrote to memory of 1896	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	29
PID 316 wrote to memory of 1896	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	29
PID 316 wrote to memory of 1896	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	29
PID 1908 wrote to memory of 1480	1908	cmd.exe	31
PID 1908 wrote to memory of 1480	1908	cmd.exe	31
PID 1908 wrote to memory of 1480	1908	cmd.exe	31
PID 1908 wrote to memory of 1480	1908	cmd.exe	31
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 316 wrote to memory of 976	316	90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe	32
PID 1896 wrote to memory of 944	1896	cmd.exe	33
PID 1896 wrote to memory of 944	1896	cmd.exe	33
PID 1896 wrote to memory of 944	1896	cmd.exe	33
PID 1896 wrote to memory of 944	1896	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe
"C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe" /t 1 /d "C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe:*:Enabled:Windows Messenger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe" /t 1 /d "C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe:*:Enabled:Windows Messenger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:944
- C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe
  C:\Users\Admin\AppData\Local\Temp\90a2bad09346e481b9bb47430c29fa22c8ff6629dabda8bea006637e208f5a13.exe
  2⤵
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-59-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/976-62-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads