5a33e61b6625e2cac6ce1b3cfb05958cda95b7257d50e1d0108b83596392a5b6

General

Target

70e1682854e1b5771b91eb317df85bd8.exe
Size

204KB
MD5

70e1682854e1b5771b91eb317df85bd8
SHA1

cccf0c59a8071485f23a36488b9eb65b7d5e23de
SHA256

5a33e61b6625e2cac6ce1b3cfb05958cda95b7257d50e1d0108b83596392a5b6
SHA512

a9fedcaa034c78463933a0347a525618ed01114956c8779f90dac5dfeec2f84ea6a903f7b65cd62b942084d181bc510138824b9554f5eeffb1eb5d2ebe9072d4
SSDEEP

6144:9GaO0vYQoJfzRMgSf27kBPpVrixUG/NE:9GpQUzRMzNBPDrPGW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

70e1682854e1b5771b91eb317df85bd8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	70e1682854e1b5771b91eb317df85bd8.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\75439967573920484\winsvr.exe = "C:\\Users\\Admin\\75439967573920484\\winsvr.exe:*:Enabled:Windows Service"	70e1682854e1b5771b91eb317df85bd8.exe

Executes dropped EXE 2 IoCs

Processes:

winsvr.exewinsvr.exe

pid process

2548 winsvr.exe
2720 winsvr.exe
Loads dropped DLL 2 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exe

pid process

2324 70e1682854e1b5771b91eb317df85bd8.exe
2324 70e1682854e1b5771b91eb317df85bd8.exe

pid	process
2548	winsvr.exe
2720	winsvr.exe

pid	process
2324	70e1682854e1b5771b91eb317df85bd8.exe
2324	70e1682854e1b5771b91eb317df85bd8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

70e1682854e1b5771b91eb317df85bd8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\75439967573920484\\winsvr.exe"	70e1682854e1b5771b91eb317df85bd8.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exewinsvr.exe

description	pid	process	target process
PID 2316 set thread context of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2548 set thread context of 2720	2548	winsvr.exe	winsvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exewinsvr.exe

pid process

2316 70e1682854e1b5771b91eb317df85bd8.exe
2548 winsvr.exe

pid	process
2316	70e1682854e1b5771b91eb317df85bd8.exe
2548	winsvr.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

70e1682854e1b5771b91eb317df85bd8.exe70e1682854e1b5771b91eb317df85bd8.exewinsvr.exe

description	pid	process	target process
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2316 wrote to memory of 2324	2316	70e1682854e1b5771b91eb317df85bd8.exe	70e1682854e1b5771b91eb317df85bd8.exe
PID 2324 wrote to memory of 2548	2324	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 2324 wrote to memory of 2548	2324	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 2324 wrote to memory of 2548	2324	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 2324 wrote to memory of 2548	2324	70e1682854e1b5771b91eb317df85bd8.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe
PID 2548 wrote to memory of 2720	2548	winsvr.exe	winsvr.exe

C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe
"C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe
"C:\Users\Admin\AppData\Local\Temp\70e1682854e1b5771b91eb317df85bd8.exe"
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\75439967573920484\winsvr.exe
"C:\Users\Admin\75439967573920484\winsvr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\75439967573920484\winsvr.exe
"C:\Users\Admin\75439967573920484\winsvr.exe"
4⤵
- Executes dropped EXE
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\75439967573920484\winsvr.exe

Filesize
122KB

MD5
bce1a1425f6aa8c9c11f08bdb6ae53b6

SHA1
49a741cc7c828f5a4e0499d1918fc8860bb733dc

SHA256
4666fdc602bc1a8d537af928d9701837b7f74668032f6b6a8ba705ca9333ce48

SHA512
36d11b978206efb5a152ecf70a28fff7311430faaca5c65356e9daf04d3a79ef543ccb66947fcbd83118cf2b8ef462e88e8b684a2a8d7b464c80121f8cd04e33

Download Submit
C:\Users\Admin\75439967573920484\winsvr.exe

Filesize
115KB

MD5
763d84ab2b98cfdeef6db5e3993888a4

SHA1
1fc6fb00615139b9d1ee8333b67181a793e06ab2

SHA256
eb59d6900ab15fc7bf41ee6094c26121d4d170eae989232083b1ce590afa6ad1

SHA512
a020dfc8ba6a4e3dcd0612e093da4d34ddd08978ce6ca7901efc61b10831728d82af6ad099e87e31d0369e5864677268ea8b5904c2d96b4bbd33ef9e9f02eede

Download Submit
C:\Users\Admin\75439967573920484\winsvr.exe

Filesize
204KB

MD5
70e1682854e1b5771b91eb317df85bd8

SHA1
cccf0c59a8071485f23a36488b9eb65b7d5e23de

SHA256
5a33e61b6625e2cac6ce1b3cfb05958cda95b7257d50e1d0108b83596392a5b6

SHA512
a9fedcaa034c78463933a0347a525618ed01114956c8779f90dac5dfeec2f84ea6a903f7b65cd62b942084d181bc510138824b9554f5eeffb1eb5d2ebe9072d4

Download Submit
\Users\Admin\75439967573920484\winsvr.exe

Filesize
119KB

MD5
e6f0281b36f3510261c79a39fe23b580

SHA1
693270f8815804d1ff8f60928b26f08968b8218b

SHA256
030701c5e77b47bed85bf97f5a99a4fddbd519ac8bdc5463fba6871144c30786

SHA512
c1a7780915cfdff44011fb0b94726ca81c543e4ead3d573d9125766fde3fd1b910edbb7e103b741b2b01f94a774dbee9208b25ff5173de66461c872c3bdb3ee0

Download Submit
\Users\Admin\75439967573920484\winsvr.exe

Filesize
150KB

MD5
7d1314e54d14b8104d6c8fea9c97b997

SHA1
cf9b25d1f4eccc2a04ae72aa24fec2e99f4ee74a

SHA256
c2ca7604e6e97d607198af113dbcd309b5904816e5542711125b00ed3f26a8d0

SHA512
8381b88a7e4fb4ea0570500df1c72bd3633522c4b0db8afc89f329e9be4dee5b2e9ea576d1d64ad969c57bcfc69cac8587280293b847f34cf6af318bd27b82d2

Download Submit
memory/2316-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2324-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2548-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads