724f88a6a77e72621301c29899b827b7fb947be5a76003ea7959ad4f5199bdaf

General

Target

489f739e5b26bd5037ff378188f87864.exe
Size

367KB
MD5

489f739e5b26bd5037ff378188f87864
SHA1

c92453e14361b42533482e9ae0e5c687df419b25
SHA256

724f88a6a77e72621301c29899b827b7fb947be5a76003ea7959ad4f5199bdaf
SHA512

edf5843d8712228e95e882347cfcc63f8ed7d5f789c8459fa7969a1a032147aca778a0e196d8b408494086383aac3b0af1283a37d00922d5bdec62bcd8103902
SSDEEP

6144:Os8LzwROGvhrz8o3XdJ1hrz8o3XdJd3VWS+fwrI8:OLLs8AdVd528

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\Microsft\mspkg.exe = "C:\\Windows\\system32\\Microsft\\mspkg.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	489f739e5b26bd5037ff378188f87864.exe

Executes dropped EXE 1 IoCs

pid	Process
1156	mspkg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsft Security Package = "C:\\Windows\\system32\\Microsft\\mspkg.exe"	489f739e5b26bd5037ff378188f87864.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsft\mspkg.exe	489f739e5b26bd5037ff378188f87864.exe
File opened for modification	C:\Windows\SysWOW64\Microsft\mspkg.exe	489f739e5b26bd5037ff378188f87864.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2032	TASKKILL.exe
4804	TASKKILL.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3512	reg.exe
1540	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	TASKKILL.exe
Token: SeDebugPrivilege	2032	TASKKILL.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4804	1184	489f739e5b26bd5037ff378188f87864.exe	31
PID 1184 wrote to memory of 4804	1184	489f739e5b26bd5037ff378188f87864.exe	31
PID 1184 wrote to memory of 4804	1184	489f739e5b26bd5037ff378188f87864.exe	31
PID 1184 wrote to memory of 828	1184	489f739e5b26bd5037ff378188f87864.exe	104
PID 1184 wrote to memory of 828	1184	489f739e5b26bd5037ff378188f87864.exe	104
PID 1184 wrote to memory of 828	1184	489f739e5b26bd5037ff378188f87864.exe	104
PID 1184 wrote to memory of 3180	1184	489f739e5b26bd5037ff378188f87864.exe	103
PID 1184 wrote to memory of 3180	1184	489f739e5b26bd5037ff378188f87864.exe	103
PID 1184 wrote to memory of 3180	1184	489f739e5b26bd5037ff378188f87864.exe	103
PID 3180 wrote to memory of 1540	3180	cmd.exe	102
PID 3180 wrote to memory of 1540	3180	cmd.exe	102
PID 3180 wrote to memory of 1540	3180	cmd.exe	102
PID 828 wrote to memory of 3512	828	cmd.exe	101
PID 828 wrote to memory of 3512	828	cmd.exe	101
PID 828 wrote to memory of 3512	828	cmd.exe	101
PID 1184 wrote to memory of 1156	1184	489f739e5b26bd5037ff378188f87864.exe	96
PID 1184 wrote to memory of 1156	1184	489f739e5b26bd5037ff378188f87864.exe	96
PID 1184 wrote to memory of 1156	1184	489f739e5b26bd5037ff378188f87864.exe	96
PID 1156 wrote to memory of 2032	1156	mspkg.exe	100
PID 1156 wrote to memory of 2032	1156	mspkg.exe	100
PID 1156 wrote to memory of 2032	1156	mspkg.exe	100

C:\Users\Admin\AppData\Local\Temp\489f739e5b26bd5037ff378188f87864.exe
"C:\Users\Admin\AppData\Local\Temp\489f739e5b26bd5037ff378188f87864.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM mspkg.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\SysWOW64\Microsft\mspkg.exe
  "C:\Windows\system32\Microsft\mspkg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM mspkg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\system32\Microsft\mspkg.exe" /t REG_SZ /d "C:\Windows\system32\Microsft\mspkg.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:828

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:3512

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\system32\Microsft\mspkg.exe" /t REG_SZ /d "C:\Windows\system32\Microsft\mspkg.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1156-17-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/1156-15-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1156-19-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-1-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/1184-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-0-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-16-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads