0e892037eaa1fd8e0b435a176fd996044a17f14b2c6a7a55a8674192843f7c9f | Triage

Analysis

max time kernel
152s
max time network
107s
platform
windows7_x64
resource
win7v200217
submitted
06-04-2020 23:07

Sharing

Report Analysis Logs

General

Target

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Size

106KB
MD5

8c7ba09e5e8a46926f2e9233c2cbf3c5
SHA1

29b031dc4829b82bc35382ed3b00202653af6eee
SHA256

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf
SHA512

43bce0b80179d2d859c7fd93c69b6ce012ef81038f4a838a6d5357fa37215c395da740ce22b9db3dcd836ad347c16a3b5c2bf62dd57e1c78457b3d2ef2282305

Score

8^/10

evasion persistence spreading trojan

Malware Config

Signatures

Modifies service 2 TTPs 5 IoCs

Modify Registry

Modify Existing Service

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe

Drops autorun.inf file 1 TTPs 2 IoCs

spreading trojan

Replication Through Removable Media

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	ioc	process
File opened for modification	C:\autorun.inf	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
File created	C:\autorun.inf	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	pid	process	target process
PID 1832 wrote to memory of 1872	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 1832 wrote to memory of 1872	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 1832 wrote to memory of 1872	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 1832 wrote to memory of 1872	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	pid	process
Token: SeDebugPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Suspicious behavior: EnumeratesProcesses 1384 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

pid	process
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
1832	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Disables Task Manager via registry modification
evasion
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

pid process

1832 485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
"C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Drops startup file
PID:1832

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe" "485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe" ENABLE
2⤵
- Modifies service
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...