0e892037eaa1fd8e0b435a176fd996044a17f14b2c6a7a55a8674192843f7c9f

General

Target

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Size

106KB
MD5

8c7ba09e5e8a46926f2e9233c2cbf3c5
SHA1

29b031dc4829b82bc35382ed3b00202653af6eee
SHA256

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf
SHA512

43bce0b80179d2d859c7fd93c69b6ce012ef81038f4a838a6d5357fa37215c395da740ce22b9db3dcd836ad347c16a3b5c2bf62dd57e1c78457b3d2ef2282305

Score

8^/10

evasion spreading trojan

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Drops autorun.inf file 1 TTPs 2 IoCs

spreading trojan

Replication Through Removable Media

T1091

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	ioc	process
File created	C:\autorun.inf	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
File opened for modification	C:\autorun.inf	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Disables Task Manager via registry modification
evasion

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	pid	process	target process
PID 2500 wrote to memory of 2812	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 2500 wrote to memory of 2812	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 2500 wrote to memory of 2812	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

description	pid	process
Token: SeDebugPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Suspicious behavior: EnumeratesProcesses 2091 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

pid	process
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

pid process

2500 485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
"C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe"
1⤵
- Drops startup file
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2500

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe" "485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe" ENABLE
2⤵
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads