c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b

General

Target

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
Size

41KB
MD5

2187c3751c66ebd51e672ecc18c07965
SHA1

a287ec68b31443e15d4d01f0804cc509c1f2f719
SHA256

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b
SHA512

cccaa3f996e729cd3246bbba5995a54bc708f418ae34bb833078326a33ffac9a4d821cdda8e51660577b6b1531f3b11128eb7fe07e091b8242f44281adc7db92

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\15f1bc79f41c5898c2f912f99de027b3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

pid	process
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

description pid process

Token: SeDebugPrivilege 956 c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

description	pid	process
Token: SeDebugPrivilege	956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe

description	pid	process	target process
PID 956 wrote to memory of 1228	956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe	netsh.exe
PID 956 wrote to memory of 1228	956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe	netsh.exe
PID 956 wrote to memory of 1228	956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe	netsh.exe
PID 956 wrote to memory of 1228	956	c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe
"C:\Users\Admin\AppData\Local\Temp\c678d05e7afa866f3bb21a5d04aa51cd494fa8ce7367912d164e62d14a8b510b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
2⤵
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/956-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/956-58-0x0000000000455000-0x0000000000466000-memory.dmp

Filesize
68KB

Download
memory/1228-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads