Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 00:08
Static task
static1
Behavioral task
behavioral1
Sample
95ba95cad998d07b406c4b6161274e89.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
95ba95cad998d07b406c4b6161274e89.exe
Resource
win10v2004-20231215-en
General
-
Target
95ba95cad998d07b406c4b6161274e89.exe
-
Size
1.7MB
-
MD5
95ba95cad998d07b406c4b6161274e89
-
SHA1
457a7b403eec2863716eaa5f2e0dc6c6c4a834b8
-
SHA256
35611bfb7b38f17960d97815bf31b02fc0625cb9a839951f4beedb56de5e81d9
-
SHA512
4a83be49e87d53eb61de227ab82c96bec169199b8dd7984235a0aacfe9ce55eaba5f54d7bbe4fd0701a430a56dea2dbbbbdf2e6e35490912c1f6d6d12f61107d
-
SSDEEP
49152:Ta3Pt9AYZmGR7Q7afTDuY1tRHVMyi07Tg:u3OGhQ7a7DuG7Vaw
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\uncrypt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\uncrypt.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrss.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/228-49-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/228-50-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/228-51-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 24 IoCs
Processes:
resource yara_rule behavioral2/memory/3620-31-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/3620-32-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/3620-34-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/2020-42-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral2/memory/2020-43-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral2/memory/228-49-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/228-50-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/228-51-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/980-57-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/980-59-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/980-61-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/2916-68-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral2/memory/2916-72-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral2/memory/2916-71-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral2/memory/3196-79-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3196-80-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3196-81-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/224-83-0x0000000000400000-0x0000000000410000-memory.dmp Nirsoft behavioral2/memory/224-86-0x0000000000400000-0x0000000000410000-memory.dmp Nirsoft behavioral2/memory/224-87-0x0000000000400000-0x0000000000410000-memory.dmp Nirsoft behavioral2/memory/3936-94-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/3936-97-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/2128-104-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/memory/2128-107-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft -
Executes dropped EXE 11 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 2420 csrss.exe 684 csrss.exe 3620 csrss.exe 2020 csrss.exe 228 csrss.exe 980 csrss.exe 2916 csrss.exe 3196 csrss.exe 224 csrss.exe 3936 csrss.exe 2128 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2420-12-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/2420-16-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/2420-7-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/3620-24-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3620-31-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3620-30-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3620-32-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3620-34-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2020-37-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2020-40-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2020-42-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2020-43-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/228-45-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/228-48-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/228-49-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/228-50-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/228-51-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/980-53-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/980-56-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/980-57-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2420-58-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/980-59-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/980-61-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2916-68-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2916-67-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2916-64-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2916-72-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2916-71-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3196-75-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3196-78-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3196-79-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3196-80-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3196-81-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/3936-89-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3936-92-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3936-94-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3936-97-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2128-100-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2128-103-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2128-104-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2128-107-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2420-110-0x0000000000400000-0x00000000004AE000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts csrss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
95ba95cad998d07b406c4b6161274e89.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe" 95ba95cad998d07b406c4b6161274e89.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
95ba95cad998d07b406c4b6161274e89.execsrss.exedescription pid process target process PID 3924 set thread context of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 set thread context of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 2420 set thread context of 3620 2420 csrss.exe csrss.exe PID 2420 set thread context of 2020 2420 csrss.exe csrss.exe PID 2420 set thread context of 228 2420 csrss.exe csrss.exe PID 2420 set thread context of 980 2420 csrss.exe csrss.exe PID 2420 set thread context of 2916 2420 csrss.exe csrss.exe PID 2420 set thread context of 3196 2420 csrss.exe csrss.exe PID 2420 set thread context of 224 2420 csrss.exe csrss.exe PID 2420 set thread context of 3936 2420 csrss.exe csrss.exe PID 2420 set thread context of 2128 2420 csrss.exe csrss.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 4568 reg.exe 3932 reg.exe 2316 reg.exe 4788 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
csrss.exepid process 2020 csrss.exe 2020 csrss.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
csrss.execsrss.execsrss.exedescription pid process Token: 1 684 csrss.exe Token: SeCreateTokenPrivilege 684 csrss.exe Token: SeAssignPrimaryTokenPrivilege 684 csrss.exe Token: SeLockMemoryPrivilege 684 csrss.exe Token: SeIncreaseQuotaPrivilege 684 csrss.exe Token: SeMachineAccountPrivilege 684 csrss.exe Token: SeTcbPrivilege 684 csrss.exe Token: SeSecurityPrivilege 684 csrss.exe Token: SeTakeOwnershipPrivilege 684 csrss.exe Token: SeLoadDriverPrivilege 684 csrss.exe Token: SeSystemProfilePrivilege 684 csrss.exe Token: SeSystemtimePrivilege 684 csrss.exe Token: SeProfSingleProcessPrivilege 684 csrss.exe Token: SeIncBasePriorityPrivilege 684 csrss.exe Token: SeCreatePagefilePrivilege 684 csrss.exe Token: SeCreatePermanentPrivilege 684 csrss.exe Token: SeBackupPrivilege 684 csrss.exe Token: SeRestorePrivilege 684 csrss.exe Token: SeShutdownPrivilege 684 csrss.exe Token: SeDebugPrivilege 684 csrss.exe Token: SeAuditPrivilege 684 csrss.exe Token: SeSystemEnvironmentPrivilege 684 csrss.exe Token: SeChangeNotifyPrivilege 684 csrss.exe Token: SeRemoteShutdownPrivilege 684 csrss.exe Token: SeUndockPrivilege 684 csrss.exe Token: SeSyncAgentPrivilege 684 csrss.exe Token: SeEnableDelegationPrivilege 684 csrss.exe Token: SeManageVolumePrivilege 684 csrss.exe Token: SeImpersonatePrivilege 684 csrss.exe Token: SeCreateGlobalPrivilege 684 csrss.exe Token: 31 684 csrss.exe Token: 32 684 csrss.exe Token: 33 684 csrss.exe Token: 34 684 csrss.exe Token: 35 684 csrss.exe Token: SeDebugPrivilege 2020 csrss.exe Token: SeDebugPrivilege 3196 csrss.exe Token: SeRestorePrivilege 3196 csrss.exe Token: SeBackupPrivilege 3196 csrss.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
csrss.execsrss.exepid process 2420 csrss.exe 684 csrss.exe 684 csrss.exe 684 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95ba95cad998d07b406c4b6161274e89.execsrss.execsrss.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 2420 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 3924 wrote to memory of 684 3924 95ba95cad998d07b406c4b6161274e89.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 3620 2420 csrss.exe csrss.exe PID 684 wrote to memory of 1056 684 csrss.exe cmd.exe PID 684 wrote to memory of 1056 684 csrss.exe cmd.exe PID 684 wrote to memory of 1056 684 csrss.exe cmd.exe PID 684 wrote to memory of 4328 684 csrss.exe cmd.exe PID 684 wrote to memory of 4328 684 csrss.exe cmd.exe PID 684 wrote to memory of 4328 684 csrss.exe cmd.exe PID 684 wrote to memory of 936 684 csrss.exe cmd.exe PID 684 wrote to memory of 936 684 csrss.exe cmd.exe PID 684 wrote to memory of 936 684 csrss.exe cmd.exe PID 684 wrote to memory of 3056 684 csrss.exe cmd.exe PID 684 wrote to memory of 3056 684 csrss.exe cmd.exe PID 684 wrote to memory of 3056 684 csrss.exe cmd.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 2020 2420 csrss.exe csrss.exe PID 3056 wrote to memory of 4568 3056 cmd.exe reg.exe PID 3056 wrote to memory of 4568 3056 cmd.exe reg.exe PID 3056 wrote to memory of 4568 3056 cmd.exe reg.exe PID 1056 wrote to memory of 4788 1056 cmd.exe reg.exe PID 1056 wrote to memory of 4788 1056 cmd.exe reg.exe PID 1056 wrote to memory of 4788 1056 cmd.exe reg.exe PID 4328 wrote to memory of 2316 4328 cmd.exe reg.exe PID 4328 wrote to memory of 2316 4328 cmd.exe reg.exe PID 4328 wrote to memory of 2316 4328 cmd.exe reg.exe PID 936 wrote to memory of 3932 936 cmd.exe reg.exe PID 936 wrote to memory of 3932 936 cmd.exe reg.exe PID 936 wrote to memory of 3932 936 cmd.exe reg.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe PID 2420 wrote to memory of 228 2420 csrss.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ba95cad998d07b406c4b6161274e89.exe"C:\Users\Admin\AppData\Local\Temp\95ba95cad998d07b406c4b6161274e89.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exeC:\Users\Admin\AppData\Roaming\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\offc.dat"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\mess.dat"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\mail.dat"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\dial.dat"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\chro.dat"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\iexp.dat"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\ptsg.dat"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\ffox.dat"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\csrss.exe/stext "C:\Users\Admin\AppData\Roaming\opra.dat"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\csrss.exeC:\Users\Admin\AppData\Roaming\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\uncrypt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uncrypt.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\uncrypt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uncrypt.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrss.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
1KB
MD5bd1829843641d264c9ef57ee175a68ae
SHA1298cdbc7f30583f964a6533bf62fb7aff501aa52
SHA25687cff8f9ae3660c6ff6fc7d6262c61b7c19b2271ae9a95abe7b9d744d386259c
SHA5126165d8d47c2e32407c0888b28989ae293f592c4e4771e43d8d09d303e3ad73f895f1c852a176677b3fbd78449536579570cac67a17b2e9135774236b159b2827
-
C:\Users\Admin\AppData\Roaming\dial.datFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\offc.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-83-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/224-86-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/224-87-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/228-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/228-48-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/228-49-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/228-50-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/228-51-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/684-111-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/684-18-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/684-11-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/684-113-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/684-69-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/980-61-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/980-53-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/980-56-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/980-57-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/980-59-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2020-40-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2020-43-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2020-42-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2020-37-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2128-100-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2128-103-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2128-104-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2128-107-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2420-16-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2420-58-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2420-7-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2420-12-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2420-110-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2916-68-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2916-67-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2916-64-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2916-72-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2916-71-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3196-80-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-75-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-79-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-78-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-81-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3620-31-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3620-30-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3620-32-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3620-34-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3620-24-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3924-17-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/3924-0-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/3924-3-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/3924-2-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/3924-1-0x00000000015F0000-0x0000000001600000-memory.dmpFilesize
64KB
-
memory/3936-97-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3936-94-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3936-92-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3936-89-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB