0a2c849b16b29ec9300cee1e218f71a519fd5c507b1047bd4692a4b42ff83580

General

Target

241d6106ba1b70901bd21adfb93e654a.exe
Size

119KB
MD5

241d6106ba1b70901bd21adfb93e654a
SHA1

5d3e2035e12a7f6e0453bf5f1d030a50c9f6a26e
SHA256

0a2c849b16b29ec9300cee1e218f71a519fd5c507b1047bd4692a4b42ff83580
SHA512

000b805db2bfe62db028ed20f1889e6ec364878b36d845af25db2235112c9b52f819d559925391da23c5f54f7f04c9e889b6d75e8f486946c2e07911c643cbaa
SSDEEP

1536:q9CP6Azl6VEuIkL9VobQ5UwqAL2pp/rkww/ijc3OM6Xc+E1uYEXcfTxXciZsOn:q9CPxAdIkL7olwl0poKjc3O7DYEXsHT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	241d6106ba1b70901bd21adfb93e654a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	241d6106ba1b70901bd21adfb93e654a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe:*:Enabled:Microsoft® Windows System"	241d6106ba1b70901bd21adfb93e654a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	241d6106ba1b70901bd21adfb93e654a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	241d6106ba1b70901bd21adfb93e654a.exe

Executes dropped EXE 2 IoCs

Processes:

winsam.exewinsam.exe

pid process

4596 winsam.exe
4084 winsam.exe

pid	process
4596	winsam.exe
4084	winsam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows System = "C:\\Users\\Admin\\M-1-52-5782-8754-5245\\winsam.exe"	241d6106ba1b70901bd21adfb93e654a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

241d6106ba1b70901bd21adfb93e654a.exewinsam.exe

description	pid	process	target process
PID 2200 set thread context of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 4596 set thread context of 4084	4596	winsam.exe	winsam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

241d6106ba1b70901bd21adfb93e654a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	241d6106ba1b70901bd21adfb93e654a.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

241d6106ba1b70901bd21adfb93e654a.exe241d6106ba1b70901bd21adfb93e654a.exewinsam.exe

description	pid	process	target process
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 2200 wrote to memory of 1156	2200	241d6106ba1b70901bd21adfb93e654a.exe	241d6106ba1b70901bd21adfb93e654a.exe
PID 1156 wrote to memory of 4596	1156	241d6106ba1b70901bd21adfb93e654a.exe	winsam.exe
PID 1156 wrote to memory of 4596	1156	241d6106ba1b70901bd21adfb93e654a.exe	winsam.exe
PID 1156 wrote to memory of 4596	1156	241d6106ba1b70901bd21adfb93e654a.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe
PID 4596 wrote to memory of 4084	4596	winsam.exe	winsam.exe

C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe
"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe
"C:\Users\Admin\AppData\Local\Temp\241d6106ba1b70901bd21adfb93e654a.exe"
2⤵
- Modifies firewall policy service
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe
"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe
"C:\Users\Admin\M-1-52-5782-8754-5245\winsam.exe"
4⤵
- Executes dropped EXE
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1156-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1156-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2200-1-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/2200-0-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/4596-68-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/4596-67-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads