73eab7c739e178ac84370b78bcc5b969c693637144ae25ba56895a6ce28bc9db

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 04:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7b8c224a6cabae31557182788f7442a.exe
Size

440KB
MD5

c7b8c224a6cabae31557182788f7442a
SHA1

b87bba5303a93b2f7d41037e864d81c208e955b8
SHA256

73eab7c739e178ac84370b78bcc5b969c693637144ae25ba56895a6ce28bc9db
SHA512

149db0b4a49f7234d1061b896f305da80abde917923b860bb1dc390952fbf3ee3609ae63150d10e6d0c273bbc48c46ce721aadb1a5be3a1429e49f8a7b9a5f26
SSDEEP

12288:tHM3/vAAOhOnYlPyeuKuUmNMt5wDUVDdFo:tHMvvA7OYGUke5HVDY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c7b8c224a6cabae31557182788f7442a.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	c7b8c224a6cabae31557182788f7442a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	c7b8c224a6cabae31557182788f7442a.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}	c7b8c224a6cabae31557182788f7442a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	c7b8c224a6cabae31557182788f7442a.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}	c7b8c224a6cabae31557182788f7442a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	c7b8c224a6cabae31557182788f7442a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	c7b8c224a6cabae31557182788f7442a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	c7b8c224a6cabae31557182788f7442a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2440	reg.exe
2288	reg.exe
2436	reg.exe
2724	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeCreateTokenPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeAssignPrimaryTokenPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeLockMemoryPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeIncreaseQuotaPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeMachineAccountPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeTcbPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeSecurityPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeTakeOwnershipPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeLoadDriverPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeSystemProfilePrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeSystemtimePrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeProfSingleProcessPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeIncBasePriorityPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeCreatePagefilePrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeCreatePermanentPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeBackupPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeRestorePrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeShutdownPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeDebugPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeAuditPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeSystemEnvironmentPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeChangeNotifyPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeRemoteShutdownPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeUndockPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeSyncAgentPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeEnableDelegationPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeManageVolumePrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeImpersonatePrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeCreateGlobalPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: 31	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: 32	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: 33	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: 34	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: 35	1908	c7b8c224a6cabae31557182788f7442a.exe
Token: SeDebugPrivilege	1908	c7b8c224a6cabae31557182788f7442a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1976	c7b8c224a6cabae31557182788f7442a.exe
1908	c7b8c224a6cabae31557182788f7442a.exe
1908	c7b8c224a6cabae31557182788f7442a.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1976 wrote to memory of 1908	1976	c7b8c224a6cabae31557182788f7442a.exe	28
PID 1908 wrote to memory of 2652	1908	c7b8c224a6cabae31557182788f7442a.exe	29
PID 1908 wrote to memory of 2652	1908	c7b8c224a6cabae31557182788f7442a.exe	29
PID 1908 wrote to memory of 2652	1908	c7b8c224a6cabae31557182788f7442a.exe	29
PID 1908 wrote to memory of 2652	1908	c7b8c224a6cabae31557182788f7442a.exe	29
PID 1908 wrote to memory of 2684	1908	c7b8c224a6cabae31557182788f7442a.exe	30
PID 1908 wrote to memory of 2684	1908	c7b8c224a6cabae31557182788f7442a.exe	30
PID 1908 wrote to memory of 2684	1908	c7b8c224a6cabae31557182788f7442a.exe	30
PID 1908 wrote to memory of 2684	1908	c7b8c224a6cabae31557182788f7442a.exe	30
PID 1908 wrote to memory of 1640	1908	c7b8c224a6cabae31557182788f7442a.exe	32
PID 1908 wrote to memory of 1640	1908	c7b8c224a6cabae31557182788f7442a.exe	32
PID 1908 wrote to memory of 1640	1908	c7b8c224a6cabae31557182788f7442a.exe	32
PID 1908 wrote to memory of 1640	1908	c7b8c224a6cabae31557182788f7442a.exe	32
PID 1908 wrote to memory of 2560	1908	c7b8c224a6cabae31557182788f7442a.exe	33
PID 1908 wrote to memory of 2560	1908	c7b8c224a6cabae31557182788f7442a.exe	33
PID 1908 wrote to memory of 2560	1908	c7b8c224a6cabae31557182788f7442a.exe	33
PID 1908 wrote to memory of 2560	1908	c7b8c224a6cabae31557182788f7442a.exe	33
PID 1640 wrote to memory of 2724	1640	cmd.exe	38
PID 1640 wrote to memory of 2724	1640	cmd.exe	38
PID 1640 wrote to memory of 2724	1640	cmd.exe	38
PID 1640 wrote to memory of 2724	1640	cmd.exe	38
PID 2652 wrote to memory of 2440	2652	cmd.exe	37
PID 2652 wrote to memory of 2440	2652	cmd.exe	37
PID 2652 wrote to memory of 2440	2652	cmd.exe	37
PID 2652 wrote to memory of 2440	2652	cmd.exe	37
PID 2560 wrote to memory of 2436	2560	cmd.exe	39
PID 2560 wrote to memory of 2436	2560	cmd.exe	39
PID 2560 wrote to memory of 2436	2560	cmd.exe	39
PID 2560 wrote to memory of 2436	2560	cmd.exe	39
PID 2684 wrote to memory of 2288	2684	cmd.exe	40
PID 2684 wrote to memory of 2288	2684	cmd.exe	40
PID 2684 wrote to memory of 2288	2684	cmd.exe	40
PID 2684 wrote to memory of 2288	2684	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe
"C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe
  C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c7b8c224a6cabae31557182788f7442a.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\data.dat

Filesize
33B

MD5
821f48fdc9e572c433b3e78f3a829a75

SHA1
296fc1bb4a652daa7a2412744b40554a2406f989

SHA256
d73f1175aff90570f4701aba0805c26062b71a245e32ef76d8b68c4f6ba291bc

SHA512
3e0c8a9d70af01dc0161796b8735b4e30001df3543b35dc5d3c3c2a8020b00202ff5d5ab609422f6a538305a3ec7da305683ac45124bf75163b6d6e91380612c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
440KB

MD5
c7b8c224a6cabae31557182788f7442a

SHA1
b87bba5303a93b2f7d41037e864d81c208e955b8

SHA256
73eab7c739e178ac84370b78bcc5b969c693637144ae25ba56895a6ce28bc9db

SHA512
149db0b4a49f7234d1061b896f305da80abde917923b860bb1dc390952fbf3ee3609ae63150d10e6d0c273bbc48c46ce721aadb1a5be3a1429e49f8a7b9a5f26

Download Submit
memory/1908-18-0x0000000075ED0000-0x0000000075F70000-memory.dmp

Filesize
640KB

Download
memory/1908-19-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-15-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-16-0x0000000075ED0000-0x0000000075F70000-memory.dmp

Filesize
640KB

Download
memory/1908-17-0x00000000770A1000-0x00000000770A2000-memory.dmp

Filesize
4KB

Download
memory/1908-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-22-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-28-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-30-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-4-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-36-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads