63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04

General

Target

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
Size

29KB
MD5

e9c813c3c14c5bd4fd33874348a5669c
SHA1

aebbdbf53a56e08dcbce4ac62cfebc299968a710
SHA256

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04
SHA512

72d0ffb7cd3d24739e9627c6265ccfddbb8b7531c62ee03512bdddaac12517d10d6aa439de7b52c1f99f93c28a22a5aabab6b1d16120acbbf80e8036e86a1e58

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\589efcb4729236d78cc774c0c6b1714f.exe	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\589efcb4729236d78cc774c0c6b1714f.exe	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\589efcb4729236d78cc774c0c6b1714f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe\" .."	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\589efcb4729236d78cc774c0c6b1714f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe\" .."	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

pid	process
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

description pid process

Token: SeDebugPrivilege 4532 63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

description	pid	process
Token: SeDebugPrivilege	4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe

description	pid	process	target process
PID 4532 wrote to memory of 2576	4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe	netsh.exe
PID 4532 wrote to memory of 2576	4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe	netsh.exe
PID 4532 wrote to memory of 2576	4532	63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe
"C:\Users\Admin\AppData\Local\Temp\63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe" "63cedc737425f8bdf00c623c8f6dc88dfb8abb44b0a138805716166b3f323a04.exe" ENABLE
2⤵
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2576-131-0x0000000000000000-mapping.dmp

Download
memory/4532-130-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads