5511834808385536.zip

backendhorse2
featuresanalog
max_time_kernel150360
max_time_network116884
platformwindows10_x64
resourcewin10v200217
submitted06-04-2020 23:07

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Filesize

106KB

Completed

06-04-2020 23:09

Score

8 ^/10

MD5

8c7ba09e5e8a46926f2e9233c2cbf3c5

SHA1

29b031dc4829b82bc35382ed3b00202653af6eee

SHA256

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf

Lateral Movement

Persistence

Drops startup file

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Reported IOCs

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Drops autorun.inf file

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

TTPs

Replication Through Removable Media

Reported IOCs

description	ioc	process
File created	C:\autorun.inf	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
File opened for modification	C:\autorun.inf	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Disables Task Manager via registry modification

Tags

evasion

Suspicious use of WriteProcessMemory

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Reported IOCs

description	pid	process	target process
PID 2500 wrote to memory of 2812	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 2500 wrote to memory of 2812	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe
PID 2500 wrote to memory of 2812	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe	netsh.exe

Suspicious use of AdjustPrivilegeToken

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: 33	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Token: SeIncBasePriorityPrivilege	2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Suspicious behavior: EnumeratesProcesses

485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Reported IOCs

pid	process
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
2500	485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Suspicious behavior: GetForegroundWindowSpam
485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

Reported IOCs

pid process

2500 485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service

C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe

"C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe"

Drops startup file
Drops autorun.inf file
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:2500

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe" "485731953357c358a63d27adb2740b43cd12a647b26aaa4672ae269b07dbcdbf.exe" ENABLE

PID:2812

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Replication Through Removable Media

Persistence

Modify Existing Service

Privilege Escalation

00:00 00:00

5511834808385536.zip

Filter: none

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Title