cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b

General

Target

cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Size

10.8MB
MD5

4f54150e61b5df07ad6323b964da1a98
SHA1

ee32dab0f4489e567ac2da159e1beb68c617c6bd
SHA256

cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b
SHA512

d4dcc1eaf227030cc94007fc26c839d7d234e050d97dac7aa515f2ab7ecb04db66997381576cbb6287bfd9e2188d65a8cd238a07daa1c9759f582c05c9ef7c1a

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f089c174b52a60dc1803fc49b6449e2.exe	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f089c174b52a60dc1803fc49b6449e2.exe	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f089c174b52a60dc1803fc49b6449e2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe\" .."	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0f089c174b52a60dc1803fc49b6449e2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe\" .."	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

description	pid	process
Token: SeDebugPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: 33	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Token: SeIncBasePriorityPrivilege	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe

description	pid	process	target process
PID 868 wrote to memory of 4728	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe	netsh.exe
PID 868 wrote to memory of 4728	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe	netsh.exe
PID 868 wrote to memory of 4728	868	cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
"C:\Users\Admin\AppData\Local\Temp\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe" "cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe" ENABLE
2⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-131-0x0000000000610000-0x00000000010EA000-memory.dmp

Filesize
10.9MB

Download
memory/868-130-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/868-132-0x0000000009AA0000-0x000000000A044000-memory.dmp

Filesize
5.6MB

Download
memory/868-133-0x00000000094F0000-0x0000000009582000-memory.dmp

Filesize
584KB

Download
memory/868-134-0x0000000009590000-0x000000000962C000-memory.dmp

Filesize
624KB

Download
memory/868-135-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/868-136-0x00000000097A0000-0x00000000097AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads