Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
681ac6da809b115402863a99f02122cf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
681ac6da809b115402863a99f02122cf.exe
Resource
win10v2004-20231222-en
General
-
Target
681ac6da809b115402863a99f02122cf.exe
-
Size
600KB
-
MD5
681ac6da809b115402863a99f02122cf
-
SHA1
d50d6c617b823a58b042650515d7a1e4c1de61fe
-
SHA256
4937c5ad9b7c054d4aef98230a228555e71addbfdb93f2826156d3872a7f794a
-
SHA512
8de24c09922b73df0a0edb89bbe9464f876eb85491b71693cadc6dda5434f369dd439246208f9a4c069e1d7eb4db9f84d9d33e1309df581aeba4e4b0022fa290
-
SSDEEP
12288:SgskAh0Eqp+p++TAoe2khAOtfTzRioTx1OG:SkAh0Eqp+hASkhAOtfTzRBN1OG
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
681ac6da809b115402863a99f02122cf.exedescription pid process target process PID 2220 set thread context of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2664 reg.exe 2660 reg.exe 2644 reg.exe 2692 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
681ac6da809b115402863a99f02122cf.exedescription pid process Token: 1 1748 681ac6da809b115402863a99f02122cf.exe Token: SeCreateTokenPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeAssignPrimaryTokenPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeLockMemoryPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeIncreaseQuotaPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeMachineAccountPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeTcbPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeSecurityPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeTakeOwnershipPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeLoadDriverPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeSystemProfilePrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeSystemtimePrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeProfSingleProcessPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeIncBasePriorityPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeCreatePagefilePrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeCreatePermanentPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeBackupPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeRestorePrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeShutdownPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeDebugPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeAuditPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeSystemEnvironmentPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeChangeNotifyPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeRemoteShutdownPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeUndockPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeSyncAgentPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeEnableDelegationPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeManageVolumePrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeImpersonatePrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: SeCreateGlobalPrivilege 1748 681ac6da809b115402863a99f02122cf.exe Token: 31 1748 681ac6da809b115402863a99f02122cf.exe Token: 32 1748 681ac6da809b115402863a99f02122cf.exe Token: 33 1748 681ac6da809b115402863a99f02122cf.exe Token: 34 1748 681ac6da809b115402863a99f02122cf.exe Token: 35 1748 681ac6da809b115402863a99f02122cf.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
681ac6da809b115402863a99f02122cf.exe681ac6da809b115402863a99f02122cf.exepid process 2220 681ac6da809b115402863a99f02122cf.exe 1748 681ac6da809b115402863a99f02122cf.exe 1748 681ac6da809b115402863a99f02122cf.exe 1748 681ac6da809b115402863a99f02122cf.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
681ac6da809b115402863a99f02122cf.exe681ac6da809b115402863a99f02122cf.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 2220 wrote to memory of 1748 2220 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe PID 1748 wrote to memory of 2972 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 2972 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 2972 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 2972 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1768 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1768 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1768 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1768 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1640 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1640 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1640 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1640 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1944 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1944 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1944 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1748 wrote to memory of 1944 1748 681ac6da809b115402863a99f02122cf.exe cmd.exe PID 1944 wrote to memory of 2644 1944 cmd.exe reg.exe PID 1944 wrote to memory of 2644 1944 cmd.exe reg.exe PID 1944 wrote to memory of 2644 1944 cmd.exe reg.exe PID 1944 wrote to memory of 2644 1944 cmd.exe reg.exe PID 1768 wrote to memory of 2660 1768 cmd.exe reg.exe PID 1768 wrote to memory of 2660 1768 cmd.exe reg.exe PID 1768 wrote to memory of 2660 1768 cmd.exe reg.exe PID 1768 wrote to memory of 2660 1768 cmd.exe reg.exe PID 1640 wrote to memory of 2664 1640 cmd.exe reg.exe PID 1640 wrote to memory of 2664 1640 cmd.exe reg.exe PID 1640 wrote to memory of 2664 1640 cmd.exe reg.exe PID 1640 wrote to memory of 2664 1640 cmd.exe reg.exe PID 2972 wrote to memory of 2692 2972 cmd.exe reg.exe PID 2972 wrote to memory of 2692 2972 cmd.exe reg.exe PID 2972 wrote to memory of 2692 2972 cmd.exe reg.exe PID 2972 wrote to memory of 2692 2972 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe"C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exeC:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-2-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-10-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-11-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-13-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-14-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-15-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-17-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-18-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-19-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-21-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-22-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1748-26-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB