5a33e61b6625e2cac6ce1b3cfb05958cda95b7257d50e1d0108b83596392a5b6

General

Target

70e1682854e1b5771b91eb317df85bd8.exe
Size

204KB
MD5

70e1682854e1b5771b91eb317df85bd8
SHA1

cccf0c59a8071485f23a36488b9eb65b7d5e23de
SHA256

5a33e61b6625e2cac6ce1b3cfb05958cda95b7257d50e1d0108b83596392a5b6
SHA512

a9fedcaa034c78463933a0347a525618ed01114956c8779f90dac5dfeec2f84ea6a903f7b65cd62b942084d181bc510138824b9554f5eeffb1eb5d2ebe9072d4
SSDEEP

6144:9GaO0vYQoJfzRMgSf27kBPpVrixUG/NE:9GpQUzRMzNBPDrPGW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

70e1682854e1b5771b91eb317df85bd8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	70e1682854e1b5771b91eb317df85bd8.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\75439967573920484\winsvr.exe = "C:\\Users\\Admin\\75439967573920484\\winsvr.exe:*:Enabled:Windows Service"	70e1682854e1b5771b91eb317df85bd8.exe

Executes dropped EXE 2 IoCs

Processes:

winsvr.exewinsvr.exe

pid process

2036 winsvr.exe
2620 winsvr.exe
Loads dropped DLL 2 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exe

pid process

1828 70e1682854e1b5771b91eb317df85bd8.exe
1828 70e1682854e1b5771b91eb317df85bd8.exe

pid	process
2036	winsvr.exe
2620	winsvr.exe

pid	process
1828	70e1682854e1b5771b91eb317df85bd8.exe
1828	70e1682854e1b5771b91eb317df85bd8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

70e1682854e1b5771b91eb317df85bd8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\75439967573920484\\winsvr.exe"	70e1682854e1b5771b91eb317df85bd8.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exewinsvr.exe

description	pid	process	target process
PID 2500 set thread context of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2036 set thread context of 2620	2036	winsvr.exe	winsvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exewinsvr.exe

pid process

2500 70e1682854e1b5771b91eb317df85bd8.exe
2036 winsvr.exe

pid	process
2500	70e1682854e1b5771b91eb317df85bd8.exe
2036	winsvr.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exe70e1682854e1b5771b91eb317df85bd8.exewinsvr.exe

description	pid	process	target process
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2500 wrote to memory of 1828	2500	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 1828 wrote to memory of 2036	1828	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 1828 wrote to memory of 2036	1828	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 1828 wrote to memory of 2036	1828	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 1828 wrote to memory of 2036	1828	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe
PID 2036 wrote to memory of 2620	2036	winsvr.exe	winsvr.exe

C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe
"C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe
"C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe"
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\75439967573920484\winsvr.exe
"C:\Users\Admin\75439967573920484\winsvr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\75439967573920484\winsvr.exe
"C:\Users\Admin\75439967573920484\winsvr.exe"
4⤵
- Executes dropped EXE
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1828-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1828-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2036-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2620-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads