a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309

General

Target

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
Size

171KB
MD5

01ec03319966ca96eee4ce20485a48b2
SHA1

80a1ab4922d3b8cc2e1e6df3750492c435a2528e
SHA256

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309
SHA512

5221cc593a8105794e0e4359dd4af10383497dee61a29227747ecc34dbf6db05eaf0382af487e429d20df9b5ff00ab09962502c9551aa45d5c24c5ad04ec4c32
SSDEEP

3072:Dhuomne0JSGnjpeb2sjyG9Umhh/RviwJKQx/PaPB2RBZ65AThUAIoFX1Zqbq:k7I1QmXRviwJKOHOB2/Z1hv

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid	Process
1588	netsh.exe
4876	netsh.exe
1324	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

description	pid	Process	procid_target
PID 3052 set thread context of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exea99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

description	pid	Process
Token: SeDebugPrivilege	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
Token: SeDebugPrivilege	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
Token: SeDebugPrivilege	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exea99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe

description	pid	Process	procid_target
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 3052 wrote to memory of 5076	3052	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	82
PID 5076 wrote to memory of 1588	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	83
PID 5076 wrote to memory of 1588	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	83
PID 5076 wrote to memory of 1588	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	83
PID 5076 wrote to memory of 4876	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	84
PID 5076 wrote to memory of 4876	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	84
PID 5076 wrote to memory of 4876	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	84
PID 5076 wrote to memory of 1324	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	88
PID 5076 wrote to memory of 1324	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	88
PID 5076 wrote to memory of 1324	5076	a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe	88

C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
"C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
  C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule profile=any name=Win2y2
    3⤵
    - Modifies Windows Firewall
    PID:1588
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=out name=Win2y2 program="C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe"
    3⤵
    - Modifies Windows Firewall
    PID:4876
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=Win2y2 program="C:\Users\Admin\AppData\Local\Temp\a99b2fbca2e80ea7ca4662f8858254caf3e554a85bf52e7740b1019b7deeb309.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-140-0x0000000000000000-mapping.dmp

Download
memory/1588-138-0x0000000000000000-mapping.dmp

Download
memory/3052-132-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-137-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-139-0x0000000000000000-mapping.dmp

Download
memory/5076-133-0x0000000000000000-mapping.dmp

Download
memory/5076-135-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/5076-134-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/5076-136-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/5076-141-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/5076-142-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads