Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
09-01-2020 13:17
General
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 5100 netsh.exe 2056 netsh.exe 4504 netsh.exe -
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2020-01-09-12-13_4sZAhGZh.exeserver.exedescription pid process target process PID 4920 wrote to memory of 5040 4920 2020-01-09-12-13_4sZAhGZh.exe server.exe PID 5040 wrote to memory of 5100 5040 server.exe netsh.exe PID 5040 wrote to memory of 2056 5040 server.exe netsh.exe PID 5040 wrote to memory of 4504 5040 server.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 5040 server.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 5040 server.exe Token: 33 5040 server.exe Token: SeIncBasePriorityPrivilege 5040 server.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
server.exepid process 5040 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 5040 server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-01-09-12-13_4sZAhGZh.exe"C:\Users\Admin\AppData\Local\Temp\2020-01-09-12-13_4sZAhGZh.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall