Analysis
-
max time kernel
248s -
max time network
348s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 00:05
Static task
static1
Behavioral task
behavioral1
Sample
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe
Resource
win10v2004-20220812-en
General
-
Target
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe
-
Size
452KB
-
MD5
650fe1e37b2a8a5c8e00e7a7ff92699e
-
SHA1
88f72e4215a3e5ef1a7568bb4766f3b628ebb2c9
-
SHA256
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f
-
SHA512
57537a7580477b9998f2058500e490bea1ca429a86dd360481ce6811939dcc678f9026e6cfa6a6585e41d510555ee1484d1f6dfb9ca7c3de7a81ea9db31864ae
-
SSDEEP
6144:fK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSuOu:C3HcVvo21ga0aQ4HLJhkHM6jI7VD7wiu
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Security\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92} a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92} a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1516 reg.exe 960 reg.exe 1512 reg.exe 596 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreateTokenPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeAssignPrimaryTokenPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeLockMemoryPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeIncreaseQuotaPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeMachineAccountPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeTcbPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSecurityPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeTakeOwnershipPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeLoadDriverPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSystemProfilePrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSystemtimePrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeProfSingleProcessPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeIncBasePriorityPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreatePagefilePrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreatePermanentPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeBackupPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeRestorePrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeShutdownPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeDebugPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeAuditPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSystemEnvironmentPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeChangeNotifyPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeRemoteShutdownPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeUndockPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSyncAgentPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeEnableDelegationPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeManageVolumePrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeImpersonatePrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreateGlobalPrivilege 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 31 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 32 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 33 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 34 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 35 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 892 wrote to memory of 1672 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 28 PID 892 wrote to memory of 1672 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 28 PID 892 wrote to memory of 1672 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 28 PID 892 wrote to memory of 1672 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 28 PID 892 wrote to memory of 1884 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 31 PID 892 wrote to memory of 1884 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 31 PID 892 wrote to memory of 1884 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 31 PID 892 wrote to memory of 1884 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 31 PID 892 wrote to memory of 1916 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 30 PID 892 wrote to memory of 1916 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 30 PID 892 wrote to memory of 1916 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 30 PID 892 wrote to memory of 1916 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 30 PID 892 wrote to memory of 1064 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 32 PID 892 wrote to memory of 1064 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 32 PID 892 wrote to memory of 1064 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 32 PID 892 wrote to memory of 1064 892 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 32 PID 1672 wrote to memory of 1516 1672 cmd.exe 36 PID 1672 wrote to memory of 1516 1672 cmd.exe 36 PID 1672 wrote to memory of 1516 1672 cmd.exe 36 PID 1672 wrote to memory of 1516 1672 cmd.exe 36 PID 1884 wrote to memory of 1512 1884 cmd.exe 38 PID 1884 wrote to memory of 1512 1884 cmd.exe 38 PID 1884 wrote to memory of 1512 1884 cmd.exe 38 PID 1884 wrote to memory of 1512 1884 cmd.exe 38 PID 1916 wrote to memory of 960 1916 cmd.exe 37 PID 1916 wrote to memory of 960 1916 cmd.exe 37 PID 1916 wrote to memory of 960 1916 cmd.exe 37 PID 1916 wrote to memory of 960 1916 cmd.exe 37 PID 1064 wrote to memory of 596 1064 cmd.exe 39 PID 1064 wrote to memory of 596 1064 cmd.exe 39 PID 1064 wrote to memory of 596 1064 cmd.exe 39 PID 1064 wrote to memory of 596 1064 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe"C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe"1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Security\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\explorer.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Security\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\explorer.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:596
-
-