472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e

Analysis

max time kernel
148s
max time network
134s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Size

576KB
MD5

a21656e97cebceff58f72e80a4c00a22
SHA1

a1f53cb43a9d3802647342b463d6d032aa616347
SHA256

472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e
SHA512

0e6755fbe74df6ab817083a50c9dcbdd04d0498fd5a765d3d71526489d5f0715390de48c45409721ae5ecf1f0ef35d6961b758559a316f20b516d4ef08b28d8a
SSDEEP

12288:hxLNqVwGaV3xVauQ28IaiE0E/gq0638NyqtXp:hxBGa3YucIyJuyO

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\J0DQG4AZ5B.exe = "C:\\Users\\Admin\\AppData\\Roaming\\J0DQG4AZ5B.exe:*:Enabled:Windows Messanger"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1916	reg.exe
1332	reg.exe
1940	reg.exe
1152	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeCreateTokenPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeAssignPrimaryTokenPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeLockMemoryPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeIncreaseQuotaPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeMachineAccountPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeTcbPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeSecurityPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeTakeOwnershipPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeLoadDriverPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeSystemProfilePrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeSystemtimePrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeProfSingleProcessPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeIncBasePriorityPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeCreatePagefilePrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeCreatePermanentPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeBackupPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeRestorePrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeShutdownPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeDebugPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeAuditPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeSystemEnvironmentPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeChangeNotifyPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeRemoteShutdownPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeUndockPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeSyncAgentPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeEnableDelegationPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeManageVolumePrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeImpersonatePrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: SeCreateGlobalPrivilege	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: 31	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: 32	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: 33	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: 34	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
Token: 35	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1544 wrote to memory of 1760	1544	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	26
PID 1760 wrote to memory of 524	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	27
PID 1760 wrote to memory of 524	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	27
PID 1760 wrote to memory of 524	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	27
PID 1760 wrote to memory of 524	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	27
PID 1760 wrote to memory of 572	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	29
PID 1760 wrote to memory of 572	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	29
PID 1760 wrote to memory of 572	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	29
PID 1760 wrote to memory of 572	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	29
PID 1760 wrote to memory of 568	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	33
PID 1760 wrote to memory of 568	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	33
PID 1760 wrote to memory of 568	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	33
PID 1760 wrote to memory of 568	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	33
PID 1760 wrote to memory of 1488	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	31
PID 1760 wrote to memory of 1488	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	31
PID 1760 wrote to memory of 1488	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	31
PID 1760 wrote to memory of 1488	1760	472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe	31
PID 524 wrote to memory of 1332	524	cmd.exe	35
PID 524 wrote to memory of 1332	524	cmd.exe	35
PID 524 wrote to memory of 1332	524	cmd.exe	35
PID 524 wrote to memory of 1332	524	cmd.exe	35
PID 568 wrote to memory of 1940	568	cmd.exe	36
PID 568 wrote to memory of 1940	568	cmd.exe	36
PID 568 wrote to memory of 1940	568	cmd.exe	36
PID 568 wrote to memory of 1940	568	cmd.exe	36
PID 572 wrote to memory of 1152	572	cmd.exe	37
PID 572 wrote to memory of 1152	572	cmd.exe	37
PID 572 wrote to memory of 1152	572	cmd.exe	37
PID 572 wrote to memory of 1152	572	cmd.exe	37
PID 1488 wrote to memory of 1916	1488	cmd.exe	38
PID 1488 wrote to memory of 1916	1488	cmd.exe	38
PID 1488 wrote to memory of 1916	1488	cmd.exe	38
PID 1488 wrote to memory of 1916	1488	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
"C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe
  "C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\472e61ce1652fecaa78ae680a42c1c196b32d6f66e7cc794030b6ac0d767d10e.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\J0DQG4AZ5B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\J0DQG4AZ5B.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\J0DQG4AZ5B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\J0DQG4AZ5B.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-56-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1760-62-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1760-71-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1760-72-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads