2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666

General

Target

2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Size

301KB
MD5

5e04a9f2d48e007fc7ee5e06fb7a3613
SHA1

e3123b48a526b357d773b606916eaeedaf7ee437
SHA256

2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666
SHA512

0bfb8f050727c5a651a56b7dc6131412dc940252aa115c9adc6ee9462a5ef9e8acdb03617b0d6110d6fe6fcda5214310f9f496d8f78821455e2f457a80a5af14

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe

description	pid	process
Token: SeDebugPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: 33	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
Token: SeIncBasePriorityPrivilege	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe

description	pid	process	target process
PID 1516 wrote to memory of 1732	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe	netsh.exe
PID 1516 wrote to memory of 1732	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe	netsh.exe
PID 1516 wrote to memory of 1732	1516	2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
"C:\Users\Admin\AppData\Local\Temp\2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe" "2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe" ENABLE
2⤵
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1516-54-0x000007FEF27F0000-0x000007FEF3886000-memory.dmp

Filesize
16.6MB

Download
memory/1732-55-0x0000000000000000-mapping.dmp

Download
memory/1732-56-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing