6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040

General

Target

6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Size

37KB
MD5

c7a8f1df58106bf2feca10982b036563
SHA1

69accc51b9ec52522b0679689d19cc978c1ed176
SHA256

6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040
SHA512

121bf135b3ba74e5617a6dad0224eef150595e4c16610cf16865c89461d1a504a069b02339499134d836ed721b26b502c7273dd4b28fd2ca00990e7afa118db2

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe

description	pid	process
Token: SeDebugPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: 33	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
Token: SeIncBasePriorityPrivilege	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe

description	pid	process	target process
PID 2204 wrote to memory of 2504	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe	netsh.exe
PID 2204 wrote to memory of 2504	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe	netsh.exe
PID 2204 wrote to memory of 2504	2204	6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe
"C:\Users\Admin\AppData\Local\Temp\6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe" "6315eb063c4308544234aa673dd4c7fe000132468d5095d4c827768aff3a3040.exe" ENABLE
2⤵
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-130-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/2504-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing