Analysis
-
max time kernel
150s -
resource
win10v191014 -
submitted
09-01-2020 13:19
Task
task1
Sample
2020-01-09-12-13_4sZAhGZh.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2020-01-09-12-13_4sZAhGZh.exeserver.exedescription pid process target process PID 4988 wrote to memory of 5104 4988 2020-01-09-12-13_4sZAhGZh.exe server.exe PID 5104 wrote to memory of 1696 5104 server.exe netsh.exe PID 5104 wrote to memory of 3748 5104 server.exe netsh.exe PID 5104 wrote to memory of 4516 5104 server.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 5104 server.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 5104 server.exe Token: 33 5104 server.exe Token: SeIncBasePriorityPrivilege 5104 server.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
server.exepid process 5104 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 5104 server.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 3748 netsh.exe 4516 netsh.exe 1696 netsh.exe -
Processes:
server.exedescription ioc process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-01-09-12-13_4sZAhGZh.exe"C:\Users\Admin\AppData\Local\Temp\2020-01-09-12-13_4sZAhGZh.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Drops autorun.inf file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall