31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3

Analysis

max time kernel
154s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe
Size

505KB
MD5

4d29c344dad1402d73c8fb892e8d5273
SHA1

c84b28dd9f7de1d7d095339ea2f6d3b16345afe8
SHA256

31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3
SHA512

18d7f92256a527d8caac2a03d06dc1cb20974d25ca56aa92225e386d1be2acb97777e5f162dfe1287c444b4a82389d18ce1bcfedc4c6c16e96d2214d036eaba6
SSDEEP

6144:2wBHhWBLXgF+NnSqHrp4wTNGuw7Rytx98J+p0Mu0FZMxiftlxRmB7wZ5:2eHktX2pqOwWoiAr9dRmhw

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Q8RNYZBCTS.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
4980	svchost.exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java plug-in = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe"	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 552 set thread context of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4500	reg.exe
1452	reg.exe
1836	reg.exe
4156	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe
Token: 1	4980	svchost.exe.exe
Token: SeCreateTokenPrivilege	4980	svchost.exe.exe
Token: SeAssignPrimaryTokenPrivilege	4980	svchost.exe.exe
Token: SeLockMemoryPrivilege	4980	svchost.exe.exe
Token: SeIncreaseQuotaPrivilege	4980	svchost.exe.exe
Token: SeMachineAccountPrivilege	4980	svchost.exe.exe
Token: SeTcbPrivilege	4980	svchost.exe.exe
Token: SeSecurityPrivilege	4980	svchost.exe.exe
Token: SeTakeOwnershipPrivilege	4980	svchost.exe.exe
Token: SeLoadDriverPrivilege	4980	svchost.exe.exe
Token: SeSystemProfilePrivilege	4980	svchost.exe.exe
Token: SeSystemtimePrivilege	4980	svchost.exe.exe
Token: SeProfSingleProcessPrivilege	4980	svchost.exe.exe
Token: SeIncBasePriorityPrivilege	4980	svchost.exe.exe
Token: SeCreatePagefilePrivilege	4980	svchost.exe.exe
Token: SeCreatePermanentPrivilege	4980	svchost.exe.exe
Token: SeBackupPrivilege	4980	svchost.exe.exe
Token: SeRestorePrivilege	4980	svchost.exe.exe
Token: SeShutdownPrivilege	4980	svchost.exe.exe
Token: SeDebugPrivilege	4980	svchost.exe.exe
Token: SeAuditPrivilege	4980	svchost.exe.exe
Token: SeSystemEnvironmentPrivilege	4980	svchost.exe.exe
Token: SeChangeNotifyPrivilege	4980	svchost.exe.exe
Token: SeRemoteShutdownPrivilege	4980	svchost.exe.exe
Token: SeUndockPrivilege	4980	svchost.exe.exe
Token: SeSyncAgentPrivilege	4980	svchost.exe.exe
Token: SeEnableDelegationPrivilege	4980	svchost.exe.exe
Token: SeManageVolumePrivilege	4980	svchost.exe.exe
Token: SeImpersonatePrivilege	4980	svchost.exe.exe
Token: SeCreateGlobalPrivilege	4980	svchost.exe.exe
Token: 31	4980	svchost.exe.exe
Token: 32	4980	svchost.exe.exe
Token: 33	4980	svchost.exe.exe
Token: 34	4980	svchost.exe.exe
Token: 35	4980	svchost.exe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4980	svchost.exe.exe
4980	svchost.exe.exe
4980	svchost.exe.exe
4980	svchost.exe.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 552 wrote to memory of 4980	552	31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe	82
PID 4980 wrote to memory of 852	4980	svchost.exe.exe	83
PID 4980 wrote to memory of 852	4980	svchost.exe.exe	83
PID 4980 wrote to memory of 852	4980	svchost.exe.exe	83
PID 4980 wrote to memory of 1004	4980	svchost.exe.exe	84
PID 4980 wrote to memory of 1004	4980	svchost.exe.exe	84
PID 4980 wrote to memory of 1004	4980	svchost.exe.exe	84
PID 4980 wrote to memory of 736	4980	svchost.exe.exe	87
PID 4980 wrote to memory of 736	4980	svchost.exe.exe	87
PID 4980 wrote to memory of 736	4980	svchost.exe.exe	87
PID 4980 wrote to memory of 4356	4980	svchost.exe.exe	88
PID 4980 wrote to memory of 4356	4980	svchost.exe.exe	88
PID 4980 wrote to memory of 4356	4980	svchost.exe.exe	88
PID 852 wrote to memory of 1452	852	cmd.exe	91
PID 852 wrote to memory of 1452	852	cmd.exe	91
PID 852 wrote to memory of 1452	852	cmd.exe	91
PID 736 wrote to memory of 1836	736	cmd.exe	92
PID 736 wrote to memory of 1836	736	cmd.exe	92
PID 736 wrote to memory of 1836	736	cmd.exe	92
PID 1004 wrote to memory of 4156	1004	cmd.exe	93
PID 1004 wrote to memory of 4156	1004	cmd.exe	93
PID 1004 wrote to memory of 4156	1004	cmd.exe	93
PID 4356 wrote to memory of 4500	4356	cmd.exe	94
PID 4356 wrote to memory of 4500	4356	cmd.exe	94
PID 4356 wrote to memory of 4500	4356	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe
"C:\Users\Admin\AppData\Local\Temp\31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/552-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/552-139-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4980-134-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4980-151-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads