4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003

General

Target

4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
Size

29KB
MD5

75d24288b591c903d6f5d9682aafda9c
SHA1

b6b0a1994b9c30e12f28a420de53f1565d6a0c40
SHA256

4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003
SHA512

fc07b9654f77e66860d02af6fafea165af8662b7138103c2445ed68b321b96c3dad157661fed30ed64499e7a7e10ad98fada00b46a9d48f316ef7b973da89920
SSDEEP

384:NhpQjtl7jBnoKoK3JX15nHK4GumRDWEReIlGBsbh0w4wlAokw9OhgOL1vYRGOZzg:N27hoKoGJFNK4ARvRehBKh0p29SgRd6

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1716 netsh.exe

pid	process
1716	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe\" .."	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe\" .."	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

pid	process
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

description pid process

Token: SeDebugPrivilege 1480 4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

description	pid	process
Token: SeDebugPrivilege	1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe

description	pid	process	target process
PID 1480 wrote to memory of 1716	1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe	netsh.exe
PID 1480 wrote to memory of 1716	1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe	netsh.exe
PID 1480 wrote to memory of 1716	1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe	netsh.exe
PID 1480 wrote to memory of 1716	1480	4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe
"C:\Users\Admin\AppData\Local\Temp\4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe" "4c0a6a6a08a093f5e1e0c701ce1e6b7458c161f134f7fb632404d8d1fa346003.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1480-56-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-58-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads