Analysis
-
max time kernel
236s -
max time network
226s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe
Resource
win10v2004-20220812-en
General
-
Target
af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe
-
Size
420KB
-
MD5
9e928e69013d1fbe59b37549fae7c277
-
SHA1
0f584aa88906f2628d9365d24953d10500b4c099
-
SHA256
af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2
-
SHA512
aa8149b018e2fe1ae97c9e978861f1c7f32030b410d50dbca107dcd9b973684b10ca0352c6c7b89248a8b7d46692320e38990f107f7790ae79d8c42db01cb55f
-
SSDEEP
6144:2IVUqq3PBHng5HavbEd6FxuDC8zVpJ46U/uRqy1gP:2ImJgazdUCaVpJ46U/uRqyM
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe" af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EECFDBB-E9FC-AFF9-AA9F-BCA4CBCAFE06}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe" af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6EECFDBB-E9FC-AFF9-AA9F-BCA4CBCAFE06} af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components\{6EECFDBB-E9FC-AFF9-AA9F-BCA4CBCAFE06}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe" af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EECFDBB-E9FC-AFF9-AA9F-BCA4CBCAFE06} af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe" af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe" af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1560 reg.exe 1664 reg.exe 936 reg.exe 976 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeCreateTokenPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeAssignPrimaryTokenPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeLockMemoryPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeIncreaseQuotaPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeMachineAccountPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeTcbPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeSecurityPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeTakeOwnershipPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeLoadDriverPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeSystemProfilePrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeSystemtimePrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeProfSingleProcessPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeIncBasePriorityPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeCreatePagefilePrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeCreatePermanentPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeBackupPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeRestorePrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeShutdownPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeDebugPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeAuditPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeSystemEnvironmentPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeChangeNotifyPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeRemoteShutdownPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeUndockPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeSyncAgentPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeEnableDelegationPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeManageVolumePrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeImpersonatePrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: SeCreateGlobalPrivilege 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: 31 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: 32 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: 33 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: 34 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe Token: 35 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 520 wrote to memory of 1488 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 28 PID 520 wrote to memory of 1488 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 28 PID 520 wrote to memory of 1488 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 28 PID 520 wrote to memory of 1488 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 28 PID 520 wrote to memory of 320 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 29 PID 520 wrote to memory of 320 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 29 PID 520 wrote to memory of 320 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 29 PID 520 wrote to memory of 320 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 29 PID 520 wrote to memory of 1000 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 31 PID 520 wrote to memory of 1000 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 31 PID 520 wrote to memory of 1000 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 31 PID 520 wrote to memory of 1000 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 31 PID 520 wrote to memory of 788 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 33 PID 520 wrote to memory of 788 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 33 PID 520 wrote to memory of 788 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 33 PID 520 wrote to memory of 788 520 af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe 33 PID 1488 wrote to memory of 1664 1488 cmd.exe 35 PID 1488 wrote to memory of 1664 1488 cmd.exe 35 PID 1488 wrote to memory of 1664 1488 cmd.exe 35 PID 1488 wrote to memory of 1664 1488 cmd.exe 35 PID 320 wrote to memory of 936 320 cmd.exe 37 PID 320 wrote to memory of 936 320 cmd.exe 37 PID 320 wrote to memory of 936 320 cmd.exe 37 PID 320 wrote to memory of 936 320 cmd.exe 37 PID 1000 wrote to memory of 976 1000 cmd.exe 38 PID 1000 wrote to memory of 976 1000 cmd.exe 38 PID 1000 wrote to memory of 976 1000 cmd.exe 38 PID 1000 wrote to memory of 976 1000 cmd.exe 38 PID 788 wrote to memory of 1560 788 cmd.exe 39 PID 788 wrote to memory of 1560 788 cmd.exe 39 PID 788 wrote to memory of 1560 788 cmd.exe 39 PID 788 wrote to memory of 1560 788 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe"C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe"1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\af34cee2d527fe77f6dce09a3bf6ae76bb7a3eab1136bd158f38fa694cf397a2.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Explorer.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Explorer.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1560
-
-