72ddd58a65dd62b75157daf1cb0b8a5a12b94e57453f1b6fbb7a46ef00272fb4

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 07:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cc79b51b33f2bfd386e4a4c44eec408.exe
Size

252KB
MD5

2cc79b51b33f2bfd386e4a4c44eec408
SHA1

cc1baa0ea75edceae2b2349c993830248e17d4cd
SHA256

72ddd58a65dd62b75157daf1cb0b8a5a12b94e57453f1b6fbb7a46ef00272fb4
SHA512

9ca9fe1c34bfe25aaaa9d0ab0be556326c04b0a1256e772f826478c029aaba2a5f0397476467400790cd3e594ee34e4d3c8757fd38e8fd95f6b77041679d95ba
SSDEEP

6144:86wFvhbvdR5q4ysQE4msaUxE/DbpQ3CbtLn:86wFv6rVE4mnUxE/Dby3m

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2cc79b51b33f2bfd386e4a4c44eec408.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1728-2-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-4-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-8-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-10-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-13-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-11-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-19-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-22-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-23-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-24-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-26-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-27-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-28-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-30-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-32-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-33-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1728-35-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2596	reg.exe
2932	reg.exe
2872	reg.exe
2676	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeCreateTokenPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeAssignPrimaryTokenPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeLockMemoryPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeIncreaseQuotaPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeMachineAccountPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeTcbPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeSecurityPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeTakeOwnershipPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeLoadDriverPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeSystemProfilePrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeSystemtimePrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeProfSingleProcessPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeIncBasePriorityPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeCreatePagefilePrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeCreatePermanentPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeBackupPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeRestorePrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeShutdownPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeDebugPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeAuditPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeSystemEnvironmentPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeChangeNotifyPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeRemoteShutdownPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeUndockPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeSyncAgentPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeEnableDelegationPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeManageVolumePrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeImpersonatePrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: SeCreateGlobalPrivilege	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: 31	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: 32	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: 33	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: 34	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
Token: 35	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
1728	2cc79b51b33f2bfd386e4a4c44eec408.exe
1728	2cc79b51b33f2bfd386e4a4c44eec408.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 3044 wrote to memory of 1728	3044	2cc79b51b33f2bfd386e4a4c44eec408.exe	28
PID 1728 wrote to memory of 1508	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	29
PID 1728 wrote to memory of 1508	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	29
PID 1728 wrote to memory of 1508	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	29
PID 1728 wrote to memory of 1508	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	29
PID 1728 wrote to memory of 2716	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	40
PID 1728 wrote to memory of 2716	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	40
PID 1728 wrote to memory of 2716	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	40
PID 1728 wrote to memory of 2716	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	40
PID 1728 wrote to memory of 2844	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	38
PID 1728 wrote to memory of 2844	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	38
PID 1728 wrote to memory of 2844	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	38
PID 1728 wrote to memory of 2844	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	38
PID 1728 wrote to memory of 2868	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	37
PID 1728 wrote to memory of 2868	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	37
PID 1728 wrote to memory of 2868	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	37
PID 1728 wrote to memory of 2868	1728	2cc79b51b33f2bfd386e4a4c44eec408.exe	37
PID 2716 wrote to memory of 2596	2716	cmd.exe	31
PID 1508 wrote to memory of 2872	1508	cmd.exe	33
PID 2716 wrote to memory of 2596	2716	cmd.exe	31
PID 1508 wrote to memory of 2872	1508	cmd.exe	33
PID 2716 wrote to memory of 2596	2716	cmd.exe	31
PID 1508 wrote to memory of 2872	1508	cmd.exe	33
PID 2716 wrote to memory of 2596	2716	cmd.exe	31
PID 1508 wrote to memory of 2872	1508	cmd.exe	33
PID 2868 wrote to memory of 2676	2868	cmd.exe	34
PID 2868 wrote to memory of 2676	2868	cmd.exe	34
PID 2868 wrote to memory of 2676	2868	cmd.exe	34
PID 2868 wrote to memory of 2676	2868	cmd.exe	34
PID 2844 wrote to memory of 2932	2844	cmd.exe	32
PID 2844 wrote to memory of 2932	2844	cmd.exe	32
PID 2844 wrote to memory of 2932	2844	cmd.exe	32
PID 2844 wrote to memory of 2932	2844	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe
"C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe
  "C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\2cc79b51b33f2bfd386e4a4c44eec408.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2596

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-2-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-4-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1728-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-19-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-22-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-23-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-24-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-26-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-27-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-28-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-30-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-32-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1728-35-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads