ba4568175950b5113ba77dd77ed6d056b177d71d379e322773bd6af89ab2e4dd

General

Target

a33422028510cbe1381f556208fb46b2.exe
Size

44KB
MD5

a33422028510cbe1381f556208fb46b2
SHA1

a6f7075faa0e6c318ab0930fa0b02e485e2c1506
SHA256

ba4568175950b5113ba77dd77ed6d056b177d71d379e322773bd6af89ab2e4dd
SHA512

d0e068d18c23198620460ebcbba03ccb6a1f958336ae02469c5e0ca4f19cf3c760e1af9000b87e8dcbd61f7bab28164a8876121467ba6b372303e08619620b8c
SSDEEP

768:phQz3L3E539AyQSxqdUqWRVQWzu2z8jixU9hFbMjBnND5jlWdp1X6OE7:pQ3L3E5tAhSxQ8RVQWDz8j2kh+BLjodF

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

msnliveq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Microsoft Messenger Update = "C:\\Users\\Admin\\AppData\\Roaming\\msnliveq.exe"	msnliveq.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msnliveq.exe

Executes dropped EXE 2 IoCs

Processes:

msnliveq.exemsnliveq.exe

pid process

2368 msnliveq.exe
1620 msnliveq.exe
Loads dropped DLL 3 IoCs

Processes:

a33422028510cbe1381f556208fb46b2.exemsnliveq.exe

pid process

1036 a33422028510cbe1381f556208fb46b2.exe
1036 a33422028510cbe1381f556208fb46b2.exe
2368 msnliveq.exe

pid	process
2368	msnliveq.exe
1620	msnliveq.exe

pid	process
1036	a33422028510cbe1381f556208fb46b2.exe
1036	a33422028510cbe1381f556208fb46b2.exe
2368	msnliveq.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2368-23-0x0000000000400000-0x0000000000426000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\msnliveq.exe	upx
behavioral1/memory/2216-10-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2216-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2368-35-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msnliveq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Messenger Update = "C:\\Users\\Admin\\AppData\\Roaming\\msnliveq.exe"	msnliveq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Messenger Update = "C:\\Users\\Admin\\AppData\\Roaming\\msnliveq.exe"	msnliveq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a33422028510cbe1381f556208fb46b2.exemsnliveq.exe

description	pid	process	target process
PID 2216 set thread context of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2368 set thread context of 1620	2368	msnliveq.exe	msnliveq.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a33422028510cbe1381f556208fb46b2.exemsnliveq.exe

pid process

1036 a33422028510cbe1381f556208fb46b2.exe
1620 msnliveq.exe
1620 msnliveq.exe
1620 msnliveq.exe
1620 msnliveq.exe
1620 msnliveq.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a33422028510cbe1381f556208fb46b2.exemsnliveq.exe

pid process

2216 a33422028510cbe1381f556208fb46b2.exe
2368 msnliveq.exe

pid	process
1036	a33422028510cbe1381f556208fb46b2.exe
1620	msnliveq.exe
1620	msnliveq.exe
1620	msnliveq.exe
1620	msnliveq.exe
1620	msnliveq.exe

pid	process
2216	a33422028510cbe1381f556208fb46b2.exe
2368	msnliveq.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a33422028510cbe1381f556208fb46b2.exea33422028510cbe1381f556208fb46b2.exemsnliveq.exe

description	pid	process	target process
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 2216 wrote to memory of 1036	2216	a33422028510cbe1381f556208fb46b2.exe	a33422028510cbe1381f556208fb46b2.exe
PID 1036 wrote to memory of 2368	1036	a33422028510cbe1381f556208fb46b2.exe	msnliveq.exe
PID 1036 wrote to memory of 2368	1036	a33422028510cbe1381f556208fb46b2.exe	msnliveq.exe
PID 1036 wrote to memory of 2368	1036	a33422028510cbe1381f556208fb46b2.exe	msnliveq.exe
PID 1036 wrote to memory of 2368	1036	a33422028510cbe1381f556208fb46b2.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe
PID 2368 wrote to memory of 1620	2368	msnliveq.exe	msnliveq.exe

C:\Users\Admin\AppData\Roaming\msnliveq.exe
"C:\Users\Admin\AppData\Roaming\msnliveq.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Roaming\msnliveq.exe
"C:\Users\Admin\AppData\Roaming\msnliveq.exe"
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\AppData\Local\Temp\a33422028510cbe1381f556208fb46b2.exe
"C:\Users\Admin\AppData\Local\Temp\a33422028510cbe1381f556208fb46b2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\a33422028510cbe1381f556208fb46b2.exe
"C:\Users\Admin\AppData\Local\Temp\a33422028510cbe1381f556208fb46b2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msnliveq.exe
Filesize
44KB

MD5
a33422028510cbe1381f556208fb46b2

SHA1
a6f7075faa0e6c318ab0930fa0b02e485e2c1506

SHA256
ba4568175950b5113ba77dd77ed6d056b177d71d379e322773bd6af89ab2e4dd

SHA512
d0e068d18c23198620460ebcbba03ccb6a1f958336ae02469c5e0ca4f19cf3c760e1af9000b87e8dcbd61f7bab28164a8876121467ba6b372303e08619620b8c

Download Submit
memory/1036-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1036-25-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1036-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-21-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/1036-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-40-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1620-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2216-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2216-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2216-3-0x00000000003C0000-0x00000000003E6000-memory.dmp

Filesize
152KB

Download
memory/2368-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2368-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads