Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en -
submitted
16-09-2021 17:05
Behavioral task
behavioral1
Sample
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe
-
Size
37KB
-
MD5
4211578cdfacbd2ba17aeca89f127f60
-
SHA1
d09bb5b348703089849fb0650c24501de5b5d388
-
SHA256
c39e53a8a1d7e702ce379ee016e79448798adcc9ecf57854e0dffdf8e12aebd0
-
SHA512
f248df22736ba09d85921c4be09f367dd8960b2144a875799b0ebcbf695c33d0b68eb1df3ea8ec975fd7897a6c3c200e600c3b5fe68fe9ab0bfdae3448880d7a
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\789f05f583cf1829fbeacd099e6f1a6c.exe C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\789f05f583cf1829fbeacd099e6f1a6c.exe C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\789f05f583cf1829fbeacd099e6f1a6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe\" .." C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\789f05f583cf1829fbeacd099e6f1a6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe\" .." C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exepid process 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exepid process 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription pid process Token: SeDebugPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: 33 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe Token: SeIncBasePriorityPrivilege 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exedescription pid process target process PID 3908 wrote to memory of 3996 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe netsh.exe PID 3908 wrote to memory of 3996 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe netsh.exe PID 3908 wrote to memory of 3996 3908 C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe"C:\Users\Admin\AppData\Local\Temp\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe" "C39E53A8A1D7E702CE379EE016E79448798ADCC9ECF57.exe" ENABLE2⤵