6e4060bacd4f83f9086717fb0985b844ed4f588ce4ece1b2c0097657c8405733

General

Target

bbf3bc64dad9863e7872c4f72a0aa2ec.exe
Size

20KB
MD5

bbf3bc64dad9863e7872c4f72a0aa2ec
SHA1

0114a95d62abfd61b3ff7f3adabb440c597d2d1f
SHA256

6e4060bacd4f83f9086717fb0985b844ed4f588ce4ece1b2c0097657c8405733
SHA512

229b09f9d24bf1e21999587139b7079e2c8608a4d390cf46833eee4b4c886cae77117c65be5a5009058457c232e19227a37600334387d225b4f5dbf97f39dffb
SSDEEP

384:X53rx5nb2toVsj3PSgpmbX3B0Avn2QzQ7EPFFo7S57Ka:Jrla3qZF0m2wvPgMH

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2692	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	ptssvc.exe
2592	ptssvc.exe

Loads dropped DLL 3 IoCs

pid	Process
2044	bbf3bc64dad9863e7872c4f72a0aa2ec.exe
2044	bbf3bc64dad9863e7872c4f72a0aa2ec.exe
3056	ptssvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Loader = "C:\\Users\\Admin\\AppData\\Roaming\\ptssvc.exe -lds"	bbf3bc64dad9863e7872c4f72a0aa2ec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 3056 set thread context of 2592	3056	ptssvc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 2292 wrote to memory of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 2292 wrote to memory of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 2292 wrote to memory of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 2292 wrote to memory of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 2292 wrote to memory of 2044	2292	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	28
PID 2044 wrote to memory of 3056	2044	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	29
PID 2044 wrote to memory of 3056	2044	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	29
PID 2044 wrote to memory of 3056	2044	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	29
PID 2044 wrote to memory of 3056	2044	bbf3bc64dad9863e7872c4f72a0aa2ec.exe	29
PID 3056 wrote to memory of 2592	3056	ptssvc.exe	30
PID 3056 wrote to memory of 2592	3056	ptssvc.exe	30
PID 3056 wrote to memory of 2592	3056	ptssvc.exe	30
PID 3056 wrote to memory of 2592	3056	ptssvc.exe	30
PID 3056 wrote to memory of 2592	3056	ptssvc.exe	30
PID 3056 wrote to memory of 2592	3056	ptssvc.exe	30
PID 2592 wrote to memory of 2692	2592	ptssvc.exe	31
PID 2592 wrote to memory of 2692	2592	ptssvc.exe	31
PID 2592 wrote to memory of 2692	2592	ptssvc.exe	31
PID 2592 wrote to memory of 2692	2592	ptssvc.exe	31

C:\Users\Admin\AppData\Local\Temp\bbf3bc64dad9863e7872c4f72a0aa2ec.exe
"C:\Users\Admin\AppData\Local\Temp\bbf3bc64dad9863e7872c4f72a0aa2ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\bbf3bc64dad9863e7872c4f72a0aa2ec.exe
  "C:\Users\Admin\AppData\Local\Temp\bbf3bc64dad9863e7872c4f72a0aa2ec.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Roaming\ptssvc.exe
    "C:\Users\Admin\AppData\Roaming\ptssvc.exe" -lds
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Roaming\ptssvc.exe
      "C:\Users\Admin\AppData\Roaming\ptssvc.exe" -lds
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\System32\netsh.exe" firewall add allowedprogram C:\Users\Admin\AppData\Roaming\ptssvc.exe "Windows Update Viewer" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ptssvc.exe

Filesize
20KB

MD5
bbf3bc64dad9863e7872c4f72a0aa2ec

SHA1
0114a95d62abfd61b3ff7f3adabb440c597d2d1f

SHA256
6e4060bacd4f83f9086717fb0985b844ed4f588ce4ece1b2c0097657c8405733

SHA512
229b09f9d24bf1e21999587139b7079e2c8608a4d390cf46833eee4b4c886cae77117c65be5a5009058457c232e19227a37600334387d225b4f5dbf97f39dffb

Download Submit
memory/2044-0-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2044-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-3-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2044-6-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2044-8-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2292-5-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2592-27-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/3056-24-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads