Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 00:05
Static task
static1
Behavioral task
behavioral1
Sample
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe
Resource
win10v2004-20220812-en
General
-
Target
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe
-
Size
452KB
-
MD5
650fe1e37b2a8a5c8e00e7a7ff92699e
-
SHA1
88f72e4215a3e5ef1a7568bb4766f3b628ebb2c9
-
SHA256
a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f
-
SHA512
57537a7580477b9998f2058500e490bea1ca429a86dd360481ce6811939dcc678f9026e6cfa6a6585e41d510555ee1484d1f6dfb9ca7c3de7a81ea9db31864ae
-
SSDEEP
6144:fK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSuOu:C3HcVvo21ga0aQ4HLJhkHM6jI7VD7wiu
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Security\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92} a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92} a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5ABC871C-DD4E-210E-DD36-CA2EAD8CDE92}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\explorer.exe" a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2248 reg.exe 4636 reg.exe 4640 reg.exe 3612 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreateTokenPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeAssignPrimaryTokenPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeLockMemoryPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeIncreaseQuotaPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeMachineAccountPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeTcbPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSecurityPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeTakeOwnershipPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeLoadDriverPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSystemProfilePrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSystemtimePrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeProfSingleProcessPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeIncBasePriorityPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreatePagefilePrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreatePermanentPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeBackupPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeRestorePrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeShutdownPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeDebugPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeAuditPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSystemEnvironmentPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeChangeNotifyPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeRemoteShutdownPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeUndockPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeSyncAgentPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeEnableDelegationPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeManageVolumePrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeImpersonatePrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: SeCreateGlobalPrivilege 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 31 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 32 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 33 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 34 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe Token: 35 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4512 wrote to memory of 3208 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 79 PID 4512 wrote to memory of 3208 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 79 PID 4512 wrote to memory of 3208 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 79 PID 4512 wrote to memory of 1768 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 80 PID 4512 wrote to memory of 1768 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 80 PID 4512 wrote to memory of 1768 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 80 PID 4512 wrote to memory of 3272 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 81 PID 4512 wrote to memory of 3272 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 81 PID 4512 wrote to memory of 3272 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 81 PID 4512 wrote to memory of 2484 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 85 PID 4512 wrote to memory of 2484 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 85 PID 4512 wrote to memory of 2484 4512 a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe 85 PID 3208 wrote to memory of 2248 3208 cmd.exe 89 PID 3208 wrote to memory of 2248 3208 cmd.exe 89 PID 3208 wrote to memory of 2248 3208 cmd.exe 89 PID 2484 wrote to memory of 3612 2484 cmd.exe 88 PID 2484 wrote to memory of 3612 2484 cmd.exe 88 PID 2484 wrote to memory of 3612 2484 cmd.exe 88 PID 1768 wrote to memory of 4640 1768 cmd.exe 87 PID 1768 wrote to memory of 4640 1768 cmd.exe 87 PID 1768 wrote to memory of 4640 1768 cmd.exe 87 PID 3272 wrote to memory of 4636 3272 cmd.exe 90 PID 3272 wrote to memory of 4636 3272 cmd.exe 90 PID 3272 wrote to memory of 4636 3272 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe"C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe"1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a455ef3f8718a04e051e2d0bf0fa5f5ca5e0760c118f2e008645fbdbb8aac39f.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:4636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Security\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\explorer.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Security\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\explorer.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:3612
-
-