a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
301s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/lol.exe
Size

37KB
MD5

9b83bffc3fdc0219471d937e2343d5d8
SHA1

9e45b98a6eb05399ca5e20504e965844f9d1a406
SHA256

982e75c4603d2e02864bdc6847020f5ee29c7265639e8a040fe37ae241f6433e
SHA512

781b6cbca6cde428094189e12443c8723e543ac3df3a42b69e9eba83c890602dd31878eb33dbfb46a593d9746c9e14b024e81341688439851dff269446c56322
SSDEEP

384:NwSvEiTbTvpWNcZ0y8fvCv3v3cLkacparAF+rMRTyN/0L+EcoinblneHQM3epzXs:uS7TZ38fvCv3E1cQrM+rMRa8Nu29t

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1060 netsh.exe

pid	process
1060	netsh.exe

Drops startup file 2 IoCs

Processes:

lol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4a592a96ea7c45f9ee4a9c42a1e0f9d.exe	lol.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4a592a96ea7c45f9ee4a9c42a1e0f9d.exe	lol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lol.exe

pid process

4952 lol.exe

pid	process
4952	lol.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

lol.exe

description	pid	process
Token: SeDebugPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe
Token: SeIncBasePriorityPrivilege	4952	lol.exe
Token: 33	4952	lol.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

lol.exe

description	pid	process	target process
PID 4952 wrote to memory of 1060	4952	lol.exe	netsh.exe
PID 4952 wrote to memory of 1060	4952	lol.exe	netsh.exe
PID 4952 wrote to memory of 1060	4952	lol.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\lol.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\lol.exe"
1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\lol.exe" "lol.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-133-0x0000000000000000-mapping.dmp

Download
memory/4952-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4952-134-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download