a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309

General

Target

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
Size

171KB
MD5

01ec03319966ca96eee4ce20485a48b2
SHA1

80a1ab4922d3b8cc2e1e6df3750492c435a2528e
SHA256

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309
SHA512

5221cc593a8105794e0e4359dd4af10383497dee61a29227747ecc34dbf6db05eaf0382af487e429d20df9b5ff00ab09962502c9551aa45d5c24c5ad04ec4c32
SSDEEP

3072:Dhuomne0JSGnjpeb2sjyG9Umhh/RviwJKQx/PaPB2RBZ65AThUAIoFX1Zqbq:k7I1QmXRviwJKOHOB2/Z1hv

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

936 netsh.exe
896 netsh.exe
600 netsh.exe

pid	process
936	netsh.exe
896	netsh.exe
600	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

description	pid	process	target process
PID 1536 set thread context of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exea99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

description	pid	process
Token: SeDebugPrivilege	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
Token: SeDebugPrivilege	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
Token: SeDebugPrivilege	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exea99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

description	pid	process	target process
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1536 wrote to memory of 1316	1536	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
PID 1316 wrote to memory of 896	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 896	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 896	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 896	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 600	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 600	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 600	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 600	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 936	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 936	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 936	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe
PID 1316 wrote to memory of 936	1316	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
"C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
  C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule profile=any name=Win2y2
    3⤵
    - Modifies Windows Firewall
    PID:896
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=out name=Win2y2 program="C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe"
    3⤵
    - Modifies Windows Firewall
    PID:600
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=Win2y2 program="C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe"
    3⤵
    - Modifies Windows Firewall
    PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-64-0x0000000000000000-mapping.dmp

Download
memory/896-63-0x0000000000000000-mapping.dmp

Download
memory/936-65-0x0000000000000000-mapping.dmp

Download
memory/1316-57-0x00000000131596AC-mapping.dmp

Download
memory/1316-58-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1316-60-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1316-56-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1316-69-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1316-70-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1536-62-0x00000000006D5000-0x00000000006E6000-memory.dmp

Filesize
68KB

Download
memory/1536-61-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1536-55-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads