26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48

General

Target

26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe
Size

132KB
MD5

23926ca17880d00dad32df4a41df0644
SHA1

172b6f7114854e31f6f921678d177f419e57a549
SHA256

26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48
SHA512

79a72db914c8cf82888cd0034431278aeddb3a865675048853d176c83774e559927f49318fb461a867eb4380537692a73d64669b84b8ff29dfca780c899871c7
SSDEEP

3072:YqPg6BfNjU07DMr9ty3ySaaFgfO1YyZUyEEP:HPg6Vu0PSGySRkyZ9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4560	ntfyapp.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2620	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfyapp = "C:\\Windows\\ntfyapp.exe"	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntfyapp.exe	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe
File opened for modification	C:\Windows\ntfyapp.exe	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe
File created	C:\Windows\ntfyapp.config	ntfyapp.exe
File opened for modification	C:\Windows\ntfyapp.config	ntfyapp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 1356	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	81
PID 4464 wrote to memory of 1356	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	81
PID 4464 wrote to memory of 1356	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	81
PID 4464 wrote to memory of 1984	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	83
PID 4464 wrote to memory of 1984	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	83
PID 4464 wrote to memory of 1984	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	83
PID 4464 wrote to memory of 4560	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	86
PID 4464 wrote to memory of 4560	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	86
PID 4464 wrote to memory of 4560	4464	26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe	86
PID 4560 wrote to memory of 2620	4560	ntfyapp.exe	87
PID 4560 wrote to memory of 2620	4560	ntfyapp.exe	87
PID 4560 wrote to memory of 2620	4560	ntfyapp.exe	87
PID 1984 wrote to memory of 4156	1984	w32tm.exe	90
PID 1984 wrote to memory of 4156	1984	w32tm.exe	90
PID 1356 wrote to memory of 5068	1356	w32tm.exe	89
PID 1356 wrote to memory of 5068	1356	w32tm.exe	89

C:\Users\Admin\AppData\Local\Temp\26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe
"C:\Users\Admin\AppData\Local\Temp\26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    PID:5068
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /update
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\w32tm.exe
    w32tm /config /update
    3⤵
    PID:4156
- C:\Windows\ntfyapp.exe
  "C:\Windows\ntfyapp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\ntfyapp.exe" enable
    3⤵
    - Modifies Windows Firewall
    PID:2620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ntfyapp.exe

Filesize
132KB

MD5
23926ca17880d00dad32df4a41df0644

SHA1
172b6f7114854e31f6f921678d177f419e57a549

SHA256
26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48

SHA512
79a72db914c8cf82888cd0034431278aeddb3a865675048853d176c83774e559927f49318fb461a867eb4380537692a73d64669b84b8ff29dfca780c899871c7

Download Submit
C:\Windows\ntfyapp.exe

Filesize
132KB

MD5
23926ca17880d00dad32df4a41df0644

SHA1
172b6f7114854e31f6f921678d177f419e57a549

SHA256
26caaa36ff182995fdfa329b1b9413c04f60e279d99f19a691a75b32244eba48

SHA512
79a72db914c8cf82888cd0034431278aeddb3a865675048853d176c83774e559927f49318fb461a867eb4380537692a73d64669b84b8ff29dfca780c899871c7

Download Submit
memory/1356-135-0x0000000000000000-mapping.dmp

Download
memory/1984-136-0x0000000000000000-mapping.dmp

Download
memory/2620-142-0x0000000000000000-mapping.dmp

Download
memory/4156-143-0x0000000000000000-mapping.dmp

Download
memory/4464-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4464-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4464-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4560-137-0x0000000000000000-mapping.dmp

Download
memory/5068-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing