f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Size

620KB
MD5

49ccb9a7b4617858e3bc7e90a3211e1a
SHA1

61df52c3259682c21b8ea0595def9e184b8a5c34
SHA256

f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975
SHA512

476f8e5680e96239956163517346f8394634120b87569124a00bc15f601eaea4a8a147c25f2321c4978dfcfb322064440be01e60ef2d7a647109dd44b06cd8fd
SSDEEP

12288:XoTxdR5JFZbCARQ6+8cGuHhUgw7A3JwlEtMUz3p:exddrHRQ/xan8yitM25

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ND6H3IV2LM.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ND6H3IV2LM.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ND6H3IV2LM.exe"	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BACEDECA-FCAD-B4D5-EEEE-EADF29517C0A}	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BACEDECA-FCAD-B4D5-EEEE-EADF29517C0A}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ND6H3IV2LM.exe"	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BACEDECA-FCAD-B4D5-EEEE-EADF29517C0A}	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BACEDECA-FCAD-B4D5-EEEE-EADF29517C0A}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ND6H3IV2LM.exe"	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ND6H3IV2LM.exe"	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\ND6H3IV2LM.exe"	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 1256 set thread context of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2272	reg.exe
2064	reg.exe
2712	reg.exe
3624	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeCreateTokenPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeAssignPrimaryTokenPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeLockMemoryPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeIncreaseQuotaPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeMachineAccountPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeTcbPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeSecurityPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeTakeOwnershipPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeLoadDriverPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeSystemProfilePrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeSystemtimePrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeProfSingleProcessPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeIncBasePriorityPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeCreatePagefilePrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeCreatePermanentPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeBackupPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeRestorePrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeShutdownPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeDebugPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeAuditPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeSystemEnvironmentPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeChangeNotifyPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeRemoteShutdownPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeUndockPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeSyncAgentPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeEnableDelegationPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeManageVolumePrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeImpersonatePrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeCreateGlobalPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: 31	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: 32	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: 33	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: 34	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: 35	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
Token: SeDebugPrivilege	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 3996 wrote to memory of 1256	3996	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	83
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1256 wrote to memory of 1588	1256	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	84
PID 1588 wrote to memory of 1824	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	85
PID 1588 wrote to memory of 1824	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	85
PID 1588 wrote to memory of 1824	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	85
PID 1588 wrote to memory of 3636	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	86
PID 1588 wrote to memory of 3636	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	86
PID 1588 wrote to memory of 3636	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	86
PID 1588 wrote to memory of 2188	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	88
PID 1588 wrote to memory of 2188	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	88
PID 1588 wrote to memory of 2188	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	88
PID 1588 wrote to memory of 4832	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	87
PID 1588 wrote to memory of 4832	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	87
PID 1588 wrote to memory of 4832	1588	f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe	87
PID 3636 wrote to memory of 3624	3636	cmd.exe	97
PID 3636 wrote to memory of 3624	3636	cmd.exe	97
PID 3636 wrote to memory of 3624	3636	cmd.exe	97
PID 4832 wrote to memory of 2064	4832	cmd.exe	95
PID 4832 wrote to memory of 2064	4832	cmd.exe	95
PID 4832 wrote to memory of 2064	4832	cmd.exe	95
PID 1824 wrote to memory of 2272	1824	cmd.exe	94
PID 1824 wrote to memory of 2272	1824	cmd.exe	94
PID 1824 wrote to memory of 2272	1824	cmd.exe	94
PID 2188 wrote to memory of 2712	2188	cmd.exe	96
PID 2188 wrote to memory of 2712	2188	cmd.exe	96
PID 2188 wrote to memory of 2712	2188	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
"C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
  "C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe
    "C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f23c27c413057db5a7640831332d3ca92775a56a5883ed946ccb58506d17f975.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ND6H3IV2LM.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ND6H3IV2LM.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ND6H3IV2LM.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ND6H3IV2LM.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-136-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1256-145-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1256-147-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1588-157-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1588-141-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1588-146-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3996-132-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads