52f4937c80ab5e677ef2a0a169632067a74f8b9eef4f4994e9f5a9f5e36c2b56

Analysis

max time kernel
186s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

121e18b2c5111707637ef2896cfb566c.exe
Size

37KB
MD5

121e18b2c5111707637ef2896cfb566c
SHA1

4f7f131ba7dc7e6bfe98c092b95fe891e50b0105
SHA256

52f4937c80ab5e677ef2a0a169632067a74f8b9eef4f4994e9f5a9f5e36c2b56
SHA512

7035f403662c6f01a4f1475c929888aff82650e2328ce45cd916dbfef7b53542ca5b402f20e189f8afb9f7e8619c21d2dfe7b173872da6965bc7dea86ebfc616
SSDEEP

384:u8Os0IiejvCVLO309QmykrtG+dA+VfwvOSifrAF+rMRTyN/0L+EcoinblneHQM3T:GFdGdkrgYRwWS0rM+rMRa8NuHYt

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5060 netsh.exe

pid	process
5060	netsh.exe

Drops startup file 2 IoCs

Processes:

121e18b2c5111707637ef2896cfb566c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c60029bc13b6f6bd71b31a478dff99d5.exe	121e18b2c5111707637ef2896cfb566c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c60029bc13b6f6bd71b31a478dff99d5.exe	121e18b2c5111707637ef2896cfb566c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

121e18b2c5111707637ef2896cfb566c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c60029bc13b6f6bd71b31a478dff99d5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\121e18b2c5111707637ef2896cfb566c.exe\" .."	121e18b2c5111707637ef2896cfb566c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c60029bc13b6f6bd71b31a478dff99d5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\121e18b2c5111707637ef2896cfb566c.exe\" .."	121e18b2c5111707637ef2896cfb566c.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

121e18b2c5111707637ef2896cfb566c.exe

description	pid	process
Token: SeDebugPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: 33	3120	121e18b2c5111707637ef2896cfb566c.exe
Token: SeIncBasePriorityPrivilege	3120	121e18b2c5111707637ef2896cfb566c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

121e18b2c5111707637ef2896cfb566c.exe

description	pid	process	target process
PID 3120 wrote to memory of 5060	3120	121e18b2c5111707637ef2896cfb566c.exe	netsh.exe
PID 3120 wrote to memory of 5060	3120	121e18b2c5111707637ef2896cfb566c.exe	netsh.exe
PID 3120 wrote to memory of 5060	3120	121e18b2c5111707637ef2896cfb566c.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe
"C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe" "121e18b2c5111707637ef2896cfb566c.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3120-132-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/3120-133-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/5060-134-0x0000000000000000-mapping.dmp

Download