8e87d800919cab678d916a2242bb400f53fc9397f6fcc6de053afdc798042f14

General

Target

2020-01-09-12-13_4sZAhGZh.exe
Sample

200109-ym7kmkrsda
SHA256

8e87d800919cab678d916a2242bb400f53fc9397f6fcc6de053afdc798042f14

Score

8^/10

evasion spreading trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2020-01-09-12-13_4sZAhGZh.exeserver.exe

description	pid	process	target process
PID 4988 wrote to memory of 5104	4988	2020-01-09-12-13_4sZAhGZh.exe	server.exe
PID 5104 wrote to memory of 1696	5104	server.exe	netsh.exe
PID 5104 wrote to memory of 3748	5104	server.exe	netsh.exe
PID 5104 wrote to memory of 4516	5104	server.exe	netsh.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

5104 server.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

server.exe

description pid process

Token: SeDebugPrivilege 5104 server.exe
Token: 33 5104 server.exe
Token: SeIncBasePriorityPrivilege 5104 server.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

server.exe

pid process

5104 server.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

5104 server.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

3748 netsh.exe
4516 netsh.exe
1696 netsh.exe
Drops autorun.inf file 1 TTPs 2 IoCs
spreading trojan

Replication Through Removable Media
T1091

Processes:

server.exe

description ioc process

File created C:\autorun.inf server.exe
File opened for modification C:\autorun.inf server.exe

pid	process
5104	server.exe

description	pid	process
Token: SeDebugPrivilege	5104	server.exe
Token: 33	5104	server.exe
Token: SeIncBasePriorityPrivilege	5104	server.exe

pid	process
5104	server.exe

pid	process
5104	server.exe

pid	process
3748	netsh.exe
4516	netsh.exe
1696	netsh.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

C:\Users\Admin\AppData\Local\Temp\2020-01-09-12-13_4sZAhGZh.exe
"C:\Users\Admin\AppData\Local\Temp\2020-01-09-12-13_4sZAhGZh.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Drops autorun.inf file
PID:5104

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1696

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:3748

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Download Submit

Analysis

Sharing