0b82ec88974356f1bfcc12531ed73ec3be8b0bd1737365772fcb1a8c8e775b8e

Resubmissions

19/08/2023, 20:34

230819-zchf4sdg4z 8

19/08/2023, 20:29

230819-y92etacb98 8

Analysis

max time kernel
150s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230703-de
resource tags

arch:x64arch:x86image:win10-20230703-delocale:de-deos:windows10-1703-x64systemwindows
submitted
19/08/2023, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IP.exe
Size

1.2MB
MD5

60a1fae2ce4af668c8dd69295a0b9244
SHA1

b51a67f6db7d15aab8894389306ad704ba001dfd
SHA256

0b82ec88974356f1bfcc12531ed73ec3be8b0bd1737365772fcb1a8c8e775b8e
SHA512

564c0570a8c92dd8b807ec762aa4957dc5d107ffb7dcfb09adb092535052b63e4674306b82c830f1416742cb916e87e6c7e32aab7be853605897d2d4ba0a3b33
SSDEEP

24576:CdofGAmSIQ177wZ+A7MjiiRDXU/Sat5RgsLSmIOHsU5zMmX1xYwncqKvGqJf:CdofGbSIQ177wZvYjiiRDXASat5RgsLQ

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
3256	netsh.exe
2336	netsh.exe
4464	netsh.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WF.msc	mmc.exe
File opened for modification	C:\Windows\system32\WF.msc	mmc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
676	IP.exe
676	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
876	taskmgr.exe
4956	mmc.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4956	mmc.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	taskmgr.exe
Token: SeSystemProfilePrivilege	876	taskmgr.exe
Token: SeCreateGlobalPrivilege	876	taskmgr.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	4956	mmc.exe
Token: SeIncBasePriorityPrivilege	4956	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe
Token: 33	3896	mmc.exe
Token: SeIncBasePriorityPrivilege	3896	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
676	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
3580	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
3580	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
676	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
3580	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
3580	IP.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe
876	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4956	mmc.exe
3896	mmc.exe
4956	mmc.exe
3896	mmc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 3256	676	IP.exe	70
PID 676 wrote to memory of 3256	676	IP.exe	70
PID 3580 wrote to memory of 2336	3580	IP.exe	77
PID 3580 wrote to memory of 2336	3580	IP.exe	77
PID 3376 wrote to memory of 4464	3376	IP.exe	81
PID 3376 wrote to memory of 4464	3376	IP.exe	81

C:\Users\Admin\AppData\Local\Temp\IP.exe
"C:\Users\Admin\AppData\Local\Temp\IP.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SYSTEM32\netsh.exe
  netsh advfirewall set domainprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876

C:\Users\Admin\AppData\Local\Temp\IP.exe
"C:\Users\Admin\AppData\Local\Temp\IP.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SYSTEM32\netsh.exe
  netsh advfirewall set domainprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:2336

C:\Users\Admin\AppData\Local\Temp\IP.exe
"C:\Users\Admin\AppData\Local\Temp\IP.exe"
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\IP.exe
"C:\Users\Admin\AppData\Local\Temp\IP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SYSTEM32\netsh.exe
  netsh advfirewall set domainprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:4464

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3896-223-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-214-0x00007FFA2FED0000-0x00007FFA308BC000-memory.dmp

Filesize
9.9MB

Download
memory/3896-268-0x00007FFA2FED0000-0x00007FFA308BC000-memory.dmp

Filesize
9.9MB

Download
memory/3896-145-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-232-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-229-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-228-0x00007FF683DA0000-0x00007FF683DB0000-memory.dmp

Filesize
64KB

Download
memory/3896-196-0x000000001D470000-0x000000001D774000-memory.dmp

Filesize
3.0MB

Download
memory/3896-225-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-135-0x00007FFA2FED0000-0x00007FFA308BC000-memory.dmp

Filesize
9.9MB

Download
memory/3896-198-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-200-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-202-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-222-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-219-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-203-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-206-0x00007FF683DA0000-0x00007FF683DB0000-memory.dmp

Filesize
64KB

Download
memory/3896-218-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-216-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/3896-209-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/4956-199-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-221-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-211-0x00007FF6847F0000-0x00007FF684800000-memory.dmp

Filesize
64KB

Download
memory/4956-207-0x00007FFA2FED0000-0x00007FFA308BC000-memory.dmp

Filesize
9.9MB

Download
memory/4956-217-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-205-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-204-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-220-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-224-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-140-0x00007FFA2FED0000-0x00007FFA308BC000-memory.dmp

Filesize
9.9MB

Download
memory/4956-215-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-197-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-201-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-226-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-227-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-193-0x000000001D2F0000-0x000000001D7D4000-memory.dmp

Filesize
4.9MB

Download
memory/4956-192-0x0000000004A00000-0x0000000004A0C000-memory.dmp

Filesize
48KB

Download
memory/4956-230-0x00007FF6847F0000-0x00007FF684800000-memory.dmp

Filesize
64KB

Download
memory/4956-231-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download
memory/4956-163-0x000000001CCB0000-0x000000001CDB4000-memory.dmp

Filesize
1.0MB

Download
memory/4956-143-0x000000001CCA0000-0x000000001CCB0000-memory.dmp

Filesize
64KB

Download