5aeb5c5357dc3aa320e6ff1a9b40eaf3b93b88fa6e220dd69b33f8a0703f812e

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2024, 21:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

639a56874b7fb0017aea82f76e034be1.exe
Size

3.5MB
MD5

639a56874b7fb0017aea82f76e034be1
SHA1

6f2c5692fb9b05f3a28b05298c6638e528c386ab
SHA256

5aeb5c5357dc3aa320e6ff1a9b40eaf3b93b88fa6e220dd69b33f8a0703f812e
SHA512

0e24d98b136e255aa2e5b6a74a24c7ad25abad42a75214b4593e0d5d9f0f124ebd089a4828aac3eddfd948a185c9c05d42b8208485eb971b190910f140b97db2
SSDEEP

12288:kf6IqPlL5LquDSvJD69UtJLXbX1bG4tpoT9e7607L7JHkHh5dh07:hZ5FSvJwoJLr5ztpoReOwJHkHh5dh

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	639a56874b7fb0017aea82f76e034be1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	639a56874b7fb0017aea82f76e034be1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	639a56874b7fb0017aea82f76e034be1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\639a56874b7fb0017aea82f76e034be1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\639a56874b7fb0017aea82f76e034be1.exe:*:Enabled:orksys"	639a56874b7fb0017aea82f76e034be1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4792	639a56874b7fb0017aea82f76e034be1.exe

C:\Users\Admin\AppData\Local\Temp\639a56874b7fb0017aea82f76e034be1.exe
"C:\Users\Admin\AppData\Local\Temp\639a56874b7fb0017aea82f76e034be1.exe"
1⤵
- Modifies firewall policy service
- Suspicious behavior: GetForegroundWindowSpam
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4792-0-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4792-1-0x0000000000400000-0x0000000000781000-memory.dmp

Filesize
3.5MB

Download
memory/4792-2-0x0000000000400000-0x0000000000781000-memory.dmp

Filesize
3.5MB

Download
memory/4792-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads