c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13

General

Target

c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Size

53KB
MD5

9f68e8d3d56e207be9f3814f5f084cd3
SHA1

d4fb2293908d00b17c232d614e6e3a9fcb217bf8
SHA256

c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13
SHA512

80b45935c4de14c57035caf9d401671c318b07229ed74fb0cd96500cbff4073b4d218d3d425d1ce65b3f6b8fdeb9fda0b343572e67971ae3f8a54d942060b35e

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb4e9f3d65482a77bc0d3a7471027899.exe	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb4e9f3d65482a77bc0d3a7471027899.exe	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe

description	pid	process
Token: SeDebugPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: 33	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Token: SeIncBasePriorityPrivilege	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe

description	pid	process	target process
PID 3428 wrote to memory of 4936	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe	netsh.exe
PID 3428 wrote to memory of 4936	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe	netsh.exe
PID 3428 wrote to memory of 4936	3428	c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
"C:\Users\Admin\AppData\Local\Temp\c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe" "c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe" ENABLE
2⤵
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3428-130-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4936-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads