e206d394ccbbcfe709c84ec233fb8475bd2648cf29237c65a2546a63fe775a1b

Analysis

max time kernel
112s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f13feaa2a607968fe994c936a7ac710N.exe
Size

1.1MB
MD5

9f13feaa2a607968fe994c936a7ac710
SHA1

9fcbe57442b68412f437d4bd5a3f2c66c6ce3c43
SHA256

e206d394ccbbcfe709c84ec233fb8475bd2648cf29237c65a2546a63fe775a1b
SHA512

502dd9131404556a0f6b3f21380d2eec65cd962dcacca5de9c113fe12effdf340df1088ff921d85e70f1e472e56306b1168de53175c4ee27d7bff6fc2dec0149
SSDEEP

12288:BwG9izpJ5n46SncBH7MTX0svLv/HbHt4SpcHGAB/Kc27P5HV0HiG+uLP6njiY25+:nMxIl

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\NAOO.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NAOO.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MSSN\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	9f13feaa2a607968fe994c936a7ac710N.exe

Executes dropped EXE 3 IoCs

pid	Process
4588	svchost.exe
4028	svchost.exe
4952	svchost.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2560-0-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/2340-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2340-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2340-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2560-16-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/files/0x000700000002345a-30.dat	upx
behavioral2/memory/4588-38-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/4588-45-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/4588-41-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/4588-50-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/4952-66-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-64-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4028-63-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4588-62-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral2/memory/2340-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4952-58-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-76-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4028-75-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4952-78-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-80-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-83-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-85-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-87-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-90-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-92-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-94-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-97-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4952-99-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\MSSN\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 4896	2560	9f13feaa2a607968fe994c936a7ac710N.exe	86
PID 2560 set thread context of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 4588 set thread context of 972	4588	svchost.exe	96
PID 4588 set thread context of 4028	4588	svchost.exe	97
PID 4588 set thread context of 4952	4588	svchost.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4020	4896	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f13feaa2a607968fe994c936a7ac710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f13feaa2a607968fe994c936a7ac710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2968	reg.exe
2608	reg.exe
4128	reg.exe
4948	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe
972	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 1	4952	svchost.exe
Token: SeCreateTokenPrivilege	4952	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4952	svchost.exe
Token: SeLockMemoryPrivilege	4952	svchost.exe
Token: SeIncreaseQuotaPrivilege	4952	svchost.exe
Token: SeMachineAccountPrivilege	4952	svchost.exe
Token: SeTcbPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeTakeOwnershipPrivilege	4952	svchost.exe
Token: SeLoadDriverPrivilege	4952	svchost.exe
Token: SeSystemProfilePrivilege	4952	svchost.exe
Token: SeSystemtimePrivilege	4952	svchost.exe
Token: SeProfSingleProcessPrivilege	4952	svchost.exe
Token: SeIncBasePriorityPrivilege	4952	svchost.exe
Token: SeCreatePagefilePrivilege	4952	svchost.exe
Token: SeCreatePermanentPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeShutdownPrivilege	4952	svchost.exe
Token: SeDebugPrivilege	4952	svchost.exe
Token: SeAuditPrivilege	4952	svchost.exe
Token: SeSystemEnvironmentPrivilege	4952	svchost.exe
Token: SeChangeNotifyPrivilege	4952	svchost.exe
Token: SeRemoteShutdownPrivilege	4952	svchost.exe
Token: SeUndockPrivilege	4952	svchost.exe
Token: SeSyncAgentPrivilege	4952	svchost.exe
Token: SeEnableDelegationPrivilege	4952	svchost.exe
Token: SeManageVolumePrivilege	4952	svchost.exe
Token: SeImpersonatePrivilege	4952	svchost.exe
Token: SeCreateGlobalPrivilege	4952	svchost.exe
Token: 31	4952	svchost.exe
Token: 32	4952	svchost.exe
Token: 33	4952	svchost.exe
Token: 34	4952	svchost.exe
Token: 35	4952	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe
Token: SeDebugPrivilege	4028	svchost.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2560	9f13feaa2a607968fe994c936a7ac710N.exe
2340	9f13feaa2a607968fe994c936a7ac710N.exe
4588	svchost.exe
972	svchost.exe
4028	svchost.exe
4952	svchost.exe
4952	svchost.exe
4952	svchost.exe
4952	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 4896	2560	9f13feaa2a607968fe994c936a7ac710N.exe	86
PID 2560 wrote to memory of 4896	2560	9f13feaa2a607968fe994c936a7ac710N.exe	86
PID 2560 wrote to memory of 4896	2560	9f13feaa2a607968fe994c936a7ac710N.exe	86
PID 2560 wrote to memory of 4896	2560	9f13feaa2a607968fe994c936a7ac710N.exe	86
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2560 wrote to memory of 2340	2560	9f13feaa2a607968fe994c936a7ac710N.exe	88
PID 2340 wrote to memory of 756	2340	9f13feaa2a607968fe994c936a7ac710N.exe	91
PID 2340 wrote to memory of 756	2340	9f13feaa2a607968fe994c936a7ac710N.exe	91
PID 2340 wrote to memory of 756	2340	9f13feaa2a607968fe994c936a7ac710N.exe	91
PID 756 wrote to memory of 4492	756	cmd.exe	94
PID 756 wrote to memory of 4492	756	cmd.exe	94
PID 756 wrote to memory of 4492	756	cmd.exe	94
PID 2340 wrote to memory of 4588	2340	9f13feaa2a607968fe994c936a7ac710N.exe	95
PID 2340 wrote to memory of 4588	2340	9f13feaa2a607968fe994c936a7ac710N.exe	95
PID 2340 wrote to memory of 4588	2340	9f13feaa2a607968fe994c936a7ac710N.exe	95
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 972	4588	svchost.exe	96
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4028	4588	svchost.exe	97
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4588 wrote to memory of 4952	4588	svchost.exe	98
PID 4952 wrote to memory of 3628	4952	svchost.exe	99
PID 4952 wrote to memory of 3628	4952	svchost.exe	99
PID 4952 wrote to memory of 3628	4952	svchost.exe	99
PID 4952 wrote to memory of 4964	4952	svchost.exe	100
PID 4952 wrote to memory of 4964	4952	svchost.exe	100
PID 4952 wrote to memory of 4964	4952	svchost.exe	100
PID 4952 wrote to memory of 1972	4952	svchost.exe	101
PID 4952 wrote to memory of 1972	4952	svchost.exe	101
PID 4952 wrote to memory of 1972	4952	svchost.exe	101
PID 4952 wrote to memory of 4112	4952	svchost.exe	102
PID 4952 wrote to memory of 4112	4952	svchost.exe	102
PID 4952 wrote to memory of 4112	4952	svchost.exe	102
PID 1972 wrote to memory of 2968	1972	cmd.exe	107
PID 1972 wrote to memory of 2968	1972	cmd.exe	107
PID 1972 wrote to memory of 2968	1972	cmd.exe	107
PID 3628 wrote to memory of 2608	3628	cmd.exe	108
PID 3628 wrote to memory of 2608	3628	cmd.exe	108
PID 3628 wrote to memory of 2608	3628	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\9f13feaa2a607968fe994c936a7ac710N.exe
"C:\Users\Admin\AppData\Local\Temp\9f13feaa2a607968fe994c936a7ac710N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 84
    3⤵
    - Program crash
    PID:4020
- C:\Users\Admin\AppData\Local\Temp\9f13feaa2a607968fe994c936a7ac710N.exe
  "C:\Users\Admin\AppData\Local\Temp\9f13feaa2a607968fe994c936a7ac710N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BNOJH.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4492
- - C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe
    "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:972
  - - C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe
      "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4028
  - - C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe
      "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BNOJH.txt

Filesize
141B

MD5
eedf1bdeda7a9e6d314f346ae723cef1

SHA1
0680703a702f23e44ca855381c8764cfb7ec406e

SHA256
c8eed6be01e84beeef07e298e0db3a86e14d265f176034c1a1b6b386f3766920

SHA512
5d7081569bfea250054a49efea9d444ff7af9a351b959fec6197896622d9b0af4b32711c987493a088f2068834095e57ecd7856423b61fb5b950a7b704fdb364

Download Submit
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe

Filesize
1.1MB

MD5
0a529311c76e96952e5538b2f34ed4c2

SHA1
e8603aa63488fca0cadaef4e5a82488420807bca

SHA256
08a3c3a891ccc58f2bd52c5360bdcef901f26dae02447c1cc2b943e3d91bbd4c

SHA512
2a89cd08020b03f01ad44febd840f2a0f413300e3cd7361a6802f6b0583cb534aa4e45f62d3f87a5e79e3621613eea83177d7f32889b08ab29807998c45acd34

Download Submit
memory/972-42-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/972-44-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/972-47-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/972-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2340-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2340-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2340-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2340-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2560-12-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

Filesize
8KB

Download
memory/2560-16-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2560-11-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

Filesize
8KB

Download
memory/2560-10-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

Filesize
8KB

Download
memory/2560-5-0x0000000002C40000-0x0000000002C42000-memory.dmp

Filesize
8KB

Download
memory/2560-3-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/2560-0-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4028-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4028-75-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4588-50-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4588-45-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4588-38-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4588-62-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4588-41-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4952-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-85-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-94-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-97-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download