6000cb4765d6219aeea0210a1ecec6af293e3ee6e330f560e30c043987f5aeb7

General

Target

b598b0ecf0848c10ca61aa23c93ed5f9.exe
Size

91KB
MD5

b598b0ecf0848c10ca61aa23c93ed5f9
SHA1

3dd842fb3ab58046de7f4d4c2f0d28b4404a1c57
SHA256

6000cb4765d6219aeea0210a1ecec6af293e3ee6e330f560e30c043987f5aeb7
SHA512

9aec32b1c79788eee9bf6fd20122603dab131e0c3d5e209e1502583d65a44e012765158ee3f25a07d44b92cc9872dd0af2d92c0dedd058e587f530f47fa0493d

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Drops file in System32 directory 2 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Drops file in Program Files directory 2 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	ioc	process
File created	C:\Program Files (x86)\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

pid	process
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

pid process

3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	pid	process
Token: SeDebugPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	pid	process	target process
PID 3900 wrote to memory of 1796	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 1796	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 1796	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 3176	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 3176	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 3176	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 4020	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 4020	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 3900 wrote to memory of 4020	3900	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe
"C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe" "b598b0ecf0848c10ca61aa23c93ed5f9.exe" ENABLE
2⤵
PID:1796

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"
2⤵
PID:3176

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe" "b598b0ecf0848c10ca61aa23c93ed5f9.exe" ENABLE
2⤵
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-116-0x0000000000000000-mapping.dmp

Download
memory/3176-117-0x0000000000000000-mapping.dmp

Download
memory/3900-115-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4020-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads