e741074fedb4ec508e304ecb834d78aa.exe

General
Target

e741074fedb4ec508e304ecb834d78aa.exe

Filesize

37KB

Completed

22-09-2021 14:06

Score
8 /10
MD5

e741074fedb4ec508e304ecb834d78aa

SHA1

2189c0ffa7ba0d2c64dd9dea2b00b967f4de2d93

SHA256

fdd90c147010114bf0d334c72cfba5a164c26b1f8fdd1e04271901f1152765dc

Malware Config
Signatures 5

Filter: none

Persistence
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Suspicious behavior: EnumeratesProcesses
    e741074fedb4ec508e304ecb834d78aa.exe

    Reported IOCs

    pidprocess
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
    1088e741074fedb4ec508e304ecb834d78aa.exe
  • Suspicious behavior: GetForegroundWindowSpam
    e741074fedb4ec508e304ecb834d78aa.exe

    Reported IOCs

    pidprocess
    1088e741074fedb4ec508e304ecb834d78aa.exe
  • Suspicious use of AdjustPrivilegeToken
    e741074fedb4ec508e304ecb834d78aa.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
    Token: 331088e741074fedb4ec508e304ecb834d78aa.exe
    Token: SeIncBasePriorityPrivilege1088e741074fedb4ec508e304ecb834d78aa.exe
  • Suspicious use of WriteProcessMemory
    e741074fedb4ec508e304ecb834d78aa.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1088 wrote to memory of 16681088e741074fedb4ec508e304ecb834d78aa.exenetsh.exe
    PID 1088 wrote to memory of 16681088e741074fedb4ec508e304ecb834d78aa.exenetsh.exe
    PID 1088 wrote to memory of 16681088e741074fedb4ec508e304ecb834d78aa.exenetsh.exe
    PID 1088 wrote to memory of 16681088e741074fedb4ec508e304ecb834d78aa.exenetsh.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\e741074fedb4ec508e304ecb834d78aa.exe
    "C:\Users\Admin\AppData\Local\Temp\e741074fedb4ec508e304ecb834d78aa.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\e741074fedb4ec508e304ecb834d78aa.exe" "e741074fedb4ec508e304ecb834d78aa.exe" ENABLE
      PID:1668
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1088-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

                        • memory/1088-61-0x0000000000A90000-0x0000000000A91000-memory.dmp

                        • memory/1668-62-0x0000000000000000-mapping.dmp