52dc5008f725b9feb38bc63db28928e3dd1ee8c4009448ea80f48cc96d0ef6c7

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Size

174KB
MD5

4d9b4cbed6d3f3f34a890e9c60a2c7a9
SHA1

aefe05391176df1541df089d2755b3ca6fbe349b
SHA256

52dc5008f725b9feb38bc63db28928e3dd1ee8c4009448ea80f48cc96d0ef6c7
SHA512

1d34b4743ab56fb0fb77ec3e2d7b3580f75e4e571cc8c73467413ca2ccc33536b6fbdd315a41f1464b2e84e8127143fe7c98ed5dab076d30d5cefa9a5736f40a
SSDEEP

3072:y2Jtq5dKQ4MR+32a60nmIADraMAZN8Cwed9Nztvft3GSW9N18isE0oK:8J4MROnmBfFWH9tVt3GSKN1hu

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B2E72E7E-400B-9EBD-4BCA-ADAEF4DFBBAD}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E72E7E-400B-9EBD-4BCA-ADAEF4DFBBAD}	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E72E7E-400B-9EBD-4BCA-ADAEF4DFBBAD}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B2E72E7E-400B-9EBD-4BCA-ADAEF4DFBBAD}	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2008-0-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-9-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-12-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-14-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-19-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-22-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-25-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-29-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-32-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-35-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-38-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-45-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-49-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2008-55-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe"	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2408	reg.exe
3364	reg.exe
3984	reg.exe
4536	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeCreateTokenPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeAssignPrimaryTokenPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeLockMemoryPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeIncreaseQuotaPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeMachineAccountPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeTcbPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeSecurityPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeTakeOwnershipPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeLoadDriverPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeSystemProfilePrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeSystemtimePrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeProfSingleProcessPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeIncBasePriorityPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeCreatePagefilePrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeCreatePermanentPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeBackupPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeRestorePrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeShutdownPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeDebugPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeAuditPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeSystemEnvironmentPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeChangeNotifyPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeRemoteShutdownPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeUndockPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeSyncAgentPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeEnableDelegationPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeManageVolumePrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeImpersonatePrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeCreateGlobalPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: 31	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: 32	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: 33	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: 34	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: 35	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
Token: SeDebugPrivilege	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3744	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	42
PID 2008 wrote to memory of 3744	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	42
PID 2008 wrote to memory of 3744	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	42
PID 2008 wrote to memory of 3232	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	41
PID 2008 wrote to memory of 3232	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	41
PID 2008 wrote to memory of 3232	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	41
PID 2008 wrote to memory of 32	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	40
PID 2008 wrote to memory of 32	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	40
PID 2008 wrote to memory of 32	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	40
PID 2008 wrote to memory of 2224	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	39
PID 2008 wrote to memory of 2224	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	39
PID 2008 wrote to memory of 2224	2008	4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe	39
PID 3744 wrote to memory of 4536	3744	cmd.exe	36
PID 3744 wrote to memory of 4536	3744	cmd.exe	36
PID 3744 wrote to memory of 4536	3744	cmd.exe	36
PID 3232 wrote to memory of 3364	3232	cmd.exe	34
PID 3232 wrote to memory of 3364	3232	cmd.exe	34
PID 3232 wrote to memory of 3364	3232	cmd.exe	34
PID 32 wrote to memory of 3984	32	cmd.exe	35
PID 32 wrote to memory of 3984	32	cmd.exe	35
PID 32 wrote to memory of 3984	32	cmd.exe	35
PID 2224 wrote to memory of 2408	2224	cmd.exe	33
PID 2224 wrote to memory of 2408	2224	cmd.exe	33
PID 2224 wrote to memory of 2408	2224	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe
"C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\windows.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\windows.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\windows.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\windows.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2408

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4d9b4cbed6d3f3f34a890e9c60a2c7a9.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:3364

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:3984

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-8-0x0000000077646000-0x0000000077647000-memory.dmp

Filesize
4KB

Download
memory/2008-7-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/2008-6-0x0000000076DD0000-0x0000000076EC0000-memory.dmp

Filesize
960KB

Download
memory/2008-9-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-13-0x0000000076DD0000-0x0000000076EC0000-memory.dmp

Filesize
960KB

Download
memory/2008-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-17-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/2008-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-19-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-25-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-29-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-32-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-35-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-38-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-45-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-49-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2008-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads