c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7

General

Target

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Size

37KB
MD5

c3f164e066b7f20fffd8df364fc40266
SHA1

85133f66865acaf84901e93a18477277497ee725
SHA256

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7
SHA512

1cc683df9225a6588011f28942762030f0d94ba36fe4226447e7e0f46c5dc15231d274000695df35cdba4094612a1adb07c688cdd67aadc7070299af45f73a29

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3606c5f97d6501fbc87e008a24eb48c.exe	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3606c5f97d6501fbc87e008a24eb48c.exe	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3606c5f97d6501fbc87e008a24eb48c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe\" .."	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b3606c5f97d6501fbc87e008a24eb48c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe\" .."	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

pid	process
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

pid process

2160 c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

description	pid	process
Token: SeDebugPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: 33	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
Token: SeIncBasePriorityPrivilege	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe

description	pid	process	target process
PID 2160 wrote to memory of 4964	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe	netsh.exe
PID 2160 wrote to memory of 4964	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe	netsh.exe
PID 2160 wrote to memory of 4964	2160	c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe
"C:\Users\Admin\AppData\Local\Temp\c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe" "c057b20168f138304c491aad769453c92851c3b119662715c49b8ae66881d3d7.exe" ENABLE
2⤵
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-130-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4964-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads