ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a

Analysis

max time kernel
162s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Size

516KB
MD5

45abdf6f2f3367a7239e75b6f24335de
SHA1

dfbd21d6124ceb24f93ec786c40cf49a8bf434d7
SHA256

ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a
SHA512

fbe2f5fb6869fe16c78e6858ab902975e5eeaba06dc7bae37ab30c18d5dc0f61c3a6f9dfeef9f8e708a3e6ed927011a9d62cf66b2b044b2ea3d1fe8ca84cd159
SSDEEP

12288:djWIBsILBzZfU2UB9Hx8keZgx7CvzT4iOmW1FgYgnWs7dyax9I9gv:djWIBsezZs2MxPIbT41/gR0cIo

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WA0GBAV1MQ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WA0GBAV1MQ.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
372	reg.exe
1792	reg.exe
176	reg.exe
3640	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeCreateTokenPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeAssignPrimaryTokenPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeLockMemoryPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeIncreaseQuotaPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeMachineAccountPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeTcbPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeSecurityPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeTakeOwnershipPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeLoadDriverPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeSystemProfilePrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeSystemtimePrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeProfSingleProcessPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeIncBasePriorityPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeCreatePagefilePrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeCreatePermanentPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeBackupPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeRestorePrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeShutdownPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeDebugPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeAuditPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeSystemEnvironmentPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeChangeNotifyPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeRemoteShutdownPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeUndockPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeSyncAgentPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeEnableDelegationPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeManageVolumePrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeImpersonatePrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: SeCreateGlobalPrivilege	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: 31	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: 32	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: 33	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: 34	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
Token: 35	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 4972 wrote to memory of 5040	4972	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	81
PID 5040 wrote to memory of 2256	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	82
PID 5040 wrote to memory of 2256	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	82
PID 5040 wrote to memory of 2256	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	82
PID 5040 wrote to memory of 4368	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	83
PID 5040 wrote to memory of 4368	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	83
PID 5040 wrote to memory of 4368	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	83
PID 5040 wrote to memory of 4752	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	85
PID 5040 wrote to memory of 4752	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	85
PID 5040 wrote to memory of 4752	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	85
PID 5040 wrote to memory of 1148	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	86
PID 5040 wrote to memory of 1148	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	86
PID 5040 wrote to memory of 1148	5040	ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe	86
PID 4752 wrote to memory of 3640	4752	cmd.exe	93
PID 4752 wrote to memory of 3640	4752	cmd.exe	93
PID 4752 wrote to memory of 3640	4752	cmd.exe	93
PID 2256 wrote to memory of 176	2256	cmd.exe	92
PID 2256 wrote to memory of 176	2256	cmd.exe	92
PID 2256 wrote to memory of 176	2256	cmd.exe	92
PID 4368 wrote to memory of 1792	4368	cmd.exe	91
PID 4368 wrote to memory of 1792	4368	cmd.exe	91
PID 4368 wrote to memory of 1792	4368	cmd.exe	91
PID 1148 wrote to memory of 372	1148	cmd.exe	90
PID 1148 wrote to memory of 372	1148	cmd.exe	90
PID 1148 wrote to memory of 372	1148	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
"C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
  C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ac1336be026c33c2653a7106e7781a1a0b6593173b5c97b091f60af51f9b9d4a.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WA0GBAV1MQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WA0GBAV1MQ.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WA0GBAV1MQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WA0GBAV1MQ.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5040-135-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5040-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5040-149-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads