Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 16:32

General

  • Target

    681ac6da809b115402863a99f02122cf.exe

  • Size

    600KB

  • MD5

    681ac6da809b115402863a99f02122cf

  • SHA1

    d50d6c617b823a58b042650515d7a1e4c1de61fe

  • SHA256

    4937c5ad9b7c054d4aef98230a228555e71addbfdb93f2826156d3872a7f794a

  • SHA512

    8de24c09922b73df0a0edb89bbe9464f876eb85491b71693cadc6dda5434f369dd439246208f9a4c069e1d7eb4db9f84d9d33e1309df581aeba4e4b0022fa290

  • SSDEEP

    12288:SgskAh0Eqp+p++TAoe2khAOtfTzRioTx1OG:SkAh0Eqp+hASkhAOtfTzRBN1OG

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe
    "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe
      C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:2204
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:3940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3792
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\681ac6da809b115402863a99f02122cf.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

2
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3508-2-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-4-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-10-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-11-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-13-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-15-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-17-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-18-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-19-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-21-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-23-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

  • memory/3508-26-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB