3765c62b096e83b14eebdf89ec78683e373be4fb4c63de1e599981979f79168f

General

Target

3fc37dc097e9af0bde7a150d600b9162.exe
Size

93KB
MD5

3fc37dc097e9af0bde7a150d600b9162
SHA1

651f143d624f21827550ba8da11813ce74450429
SHA256

3765c62b096e83b14eebdf89ec78683e373be4fb4c63de1e599981979f79168f
SHA512

e825dad16affbd61c18a69b0f35f224ff42510b088b783d39d96e6471b3be2feec1290f45da3b0bab9943e0be5c84a4ff83233316d9196e1bf79579d0f5f0fc4

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

3fc37dc097e9af0bde7a150d600b9162.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	3fc37dc097e9af0bde7a150d600b9162.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	3fc37dc097e9af0bde7a150d600b9162.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c32002b041e622ed9509aeeaf370e5bWindows Update.exe	3fc37dc097e9af0bde7a150d600b9162.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c32002b041e622ed9509aeeaf370e5bWindows Update.exe	3fc37dc097e9af0bde7a150d600b9162.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3fc37dc097e9af0bde7a150d600b9162.exe

pid	process
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe
2352	3fc37dc097e9af0bde7a150d600b9162.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3fc37dc097e9af0bde7a150d600b9162.exe

pid process

2352 3fc37dc097e9af0bde7a150d600b9162.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

3fc37dc097e9af0bde7a150d600b9162.exe

description	pid	process
Token: SeDebugPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: 33	2352	3fc37dc097e9af0bde7a150d600b9162.exe
Token: SeIncBasePriorityPrivilege	2352	3fc37dc097e9af0bde7a150d600b9162.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3fc37dc097e9af0bde7a150d600b9162.exe

description	pid	process	target process
PID 2352 wrote to memory of 504	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 504	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 504	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 3888	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 3888	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 3888	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 2052	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 2052	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe
PID 2352 wrote to memory of 2052	2352	3fc37dc097e9af0bde7a150d600b9162.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3fc37dc097e9af0bde7a150d600b9162.exe
"C:\Users\Admin\AppData\Local\Temp\3fc37dc097e9af0bde7a150d600b9162.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3fc37dc097e9af0bde7a150d600b9162.exe" "3fc37dc097e9af0bde7a150d600b9162.exe" ENABLE
2⤵
PID:504

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\3fc37dc097e9af0bde7a150d600b9162.exe"
2⤵
PID:3888

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3fc37dc097e9af0bde7a150d600b9162.exe" "3fc37dc097e9af0bde7a150d600b9162.exe" ENABLE
2⤵
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-116-0x0000000000000000-mapping.dmp

Download
memory/2052-118-0x0000000000000000-mapping.dmp

Download
memory/2352-115-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3888-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads