0a2c849b16b29ec9300cee1e218f71a519fd5c507b1047bd4692a4b42ff83580

General

Target

241d6106ba1b70901bd21adfb93e654a.exe
Size

119KB
MD5

241d6106ba1b70901bd21adfb93e654a
SHA1

5d3e2035e12a7f6e0453bf5f1d030a50c9f6a26e
SHA256

0a2c849b16b29ec9300cee1e218f71a519fd5c507b1047bd4692a4b42ff83580
SHA512

000b805db2bfe62db028ed20f1889e6ec364878b36d845af25db2235112c9b52f819d559925391da23c5f54f7f04c9e889b6d75e8f486946c2e07911c643cbaa
SSDEEP

1536:q9CP6Azl6VEuIkL9VobQ5UwqAL2pp/rkww/ijc3OM6Xc+E1uYEXcfTxXciZsOn:q9CPxAdIkL7olwl0poKjc3O7DYEXsHT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	241d6106ba1b70901bd21adfb93e654a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe:*:Enabled:Microsoft® Windows System"	241d6106ba1b70901bd21adfb93e654a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows System = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe"	241d6106ba1b70901bd21adfb93e654a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description pid process target process

PID 2372 set thread context of 2144 2372 241d6106ba1b70901bd21adfb93e654a.exe 241d6106ba1b70901bd21adfb93e654a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2372 set thread context of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	pid	process	target process
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2372 wrote to memory of 2144	2372	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe

C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe
"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe
"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"
2⤵
- Modifies firewall policy service
- Adds Run key to start application
PID:2144

C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe
"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"
3⤵
PID:2412

C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe
"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"
1⤵
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-19-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2372-1-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2372-0-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2412-33-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2412-32-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads