4937c5ad9b7c054d4aef98230a228555e71addbfdb93f2826156d3872a7f794a

General

Target

681ac6da809b115402863a99f02122cf.exe
Size

600KB
MD5

681ac6da809b115402863a99f02122cf
SHA1

d50d6c617b823a58b042650515d7a1e4c1de61fe
SHA256

4937c5ad9b7c054d4aef98230a228555e71addbfdb93f2826156d3872a7f794a
SHA512

8de24c09922b73df0a0edb89bbe9464f876eb85491b71693cadc6dda5434f369dd439246208f9a4c069e1d7eb4db9f84d9d33e1309df581aeba4e4b0022fa290
SSDEEP

12288:SgskAh0Eqp+p++TAoe2khAOtfTzRioTx1OG:SkAh0Eqp+hASkhAOtfTzRBN1OG

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

681ac6da809b115402863a99f02122cf.exe

description pid process target process

PID 2440 set thread context of 3508 2440 681ac6da809b115402863a99f02122cf.exe 681ac6da809b115402863a99f02122cf.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4380 reg.exe
2204 reg.exe
3940 reg.exe
4604 reg.exe

description	pid	process	target process
PID 2440 set thread context of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe

pid	process
4380	reg.exe
2204	reg.exe
3940	reg.exe
4604	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

681ac6da809b115402863a99f02122cf.exe

description	pid	process
Token: 1	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeCreateTokenPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeAssignPrimaryTokenPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeLockMemoryPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeIncreaseQuotaPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeMachineAccountPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeTcbPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeSecurityPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeTakeOwnershipPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeLoadDriverPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeSystemProfilePrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeSystemtimePrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeProfSingleProcessPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeIncBasePriorityPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeCreatePagefilePrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeCreatePermanentPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeBackupPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeRestorePrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeShutdownPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeDebugPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeAuditPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeSystemEnvironmentPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeChangeNotifyPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeRemoteShutdownPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeUndockPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeSyncAgentPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeEnableDelegationPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeManageVolumePrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeImpersonatePrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: SeCreateGlobalPrivilege	3508	681ac6da809b115402863a99f02122cf.exe
Token: 31	3508	681ac6da809b115402863a99f02122cf.exe
Token: 32	3508	681ac6da809b115402863a99f02122cf.exe
Token: 33	3508	681ac6da809b115402863a99f02122cf.exe
Token: 34	3508	681ac6da809b115402863a99f02122cf.exe
Token: 35	3508	681ac6da809b115402863a99f02122cf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

681ac6da809b115402863a99f02122cf.exe681ac6da809b115402863a99f02122cf.exe

pid	process
2440	681ac6da809b115402863a99f02122cf.exe
3508	681ac6da809b115402863a99f02122cf.exe
3508	681ac6da809b115402863a99f02122cf.exe
3508	681ac6da809b115402863a99f02122cf.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

681ac6da809b115402863a99f02122cf.exe681ac6da809b115402863a99f02122cf.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 2440 wrote to memory of 3508	2440	681ac6da809b115402863a99f02122cf.exe	681ac6da809b115402863a99f02122cf.exe
PID 3508 wrote to memory of 4400	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 4400	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 4400	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 3792	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 3792	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 3792	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 4972	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 4972	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 4972	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 3976	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 3976	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 3508 wrote to memory of 3976	3508	681ac6da809b115402863a99f02122cf.exe	cmd.exe
PID 4400 wrote to memory of 2204	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 2204	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 2204	4400	cmd.exe	reg.exe
PID 3792 wrote to memory of 4380	3792	cmd.exe	reg.exe
PID 3792 wrote to memory of 4380	3792	cmd.exe	reg.exe
PID 3792 wrote to memory of 4380	3792	cmd.exe	reg.exe
PID 4972 wrote to memory of 4604	4972	cmd.exe	reg.exe
PID 4972 wrote to memory of 4604	4972	cmd.exe	reg.exe
PID 4972 wrote to memory of 4604	4972	cmd.exe	reg.exe
PID 3976 wrote to memory of 3940	3976	cmd.exe	reg.exe
PID 3976 wrote to memory of 3940	3976	cmd.exe	reg.exe
PID 3976 wrote to memory of 3940	3976	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe
"C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe
C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4604

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3508-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-13-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-18-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-23-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3508-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads