c802ad69a90e92057e9e356cb084b3673d27f8d012634318dc839f3a833a36b3

General

Target

8b1591597ee8d31f95502e15cb409bb7.exe
Size

93KB
MD5

8b1591597ee8d31f95502e15cb409bb7
SHA1

e27d6a8fbea33a22fcb0e6a2932394200c2cd63a
SHA256

c802ad69a90e92057e9e356cb084b3673d27f8d012634318dc839f3a833a36b3
SHA512

ae2803ef4fa5c683ab2710924ca8c3d30e396048944160ef871aaf86fbb7ce260205eb6da8fb92392958829e56d494291fc52a29bb4be9500351769ba31e9364

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops file in Program Files directory 2 IoCs

Processes:

8b1591597ee8d31f95502e15cb409bb7.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Explower.exe	8b1591597ee8d31f95502e15cb409bb7.exe
File created	C:\Program Files (x86)\Explower.exe	8b1591597ee8d31f95502e15cb409bb7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8b1591597ee8d31f95502e15cb409bb7.exe

pid process

2704 8b1591597ee8d31f95502e15cb409bb7.exe

pid	process
2704	8b1591597ee8d31f95502e15cb409bb7.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

8b1591597ee8d31f95502e15cb409bb7.exe

description	pid	process
Token: SeDebugPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: 33	2704	8b1591597ee8d31f95502e15cb409bb7.exe
Token: SeIncBasePriorityPrivilege	2704	8b1591597ee8d31f95502e15cb409bb7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8b1591597ee8d31f95502e15cb409bb7.exe

description	pid	process	target process
PID 2704 wrote to memory of 3612	2704	8b1591597ee8d31f95502e15cb409bb7.exe	netsh.exe
PID 2704 wrote to memory of 3612	2704	8b1591597ee8d31f95502e15cb409bb7.exe	netsh.exe
PID 2704 wrote to memory of 3612	2704	8b1591597ee8d31f95502e15cb409bb7.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe
"C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe" "8b1591597ee8d31f95502e15cb409bb7.exe" ENABLE
2⤵
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-115-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/3612-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads