74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

General

Target

74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
Size

120KB
MD5

812c7fc86d0f6213b42901e0900483e7
SHA1

09bfa3fe338cee7221857c347c4b4fea2f2eec49
SHA256

74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47
SHA512

36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2
SSDEEP

1536:ojqQukmLkY/vO74BzIAS/B9SQzebQcMxVOUrt8t+MYYogMi+67RG:oLhWkYZvSHbz4MNt8t+eogZ+6l

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
916	file.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1012	netsh.exe
1392	netsh.exe
1328	netsh.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPSystem = "C:\\Users\\Admin\\AppData\\Roaming\\file.exe"	file.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
Token: SeDebugPrivilege	1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
Token: SeDebugPrivilege	916	file.exe
Token: SeDebugPrivilege	916	file.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 916	1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	27
PID 1000 wrote to memory of 916	1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	27
PID 1000 wrote to memory of 916	1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	27
PID 1000 wrote to memory of 916	1000	74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe	27
PID 916 wrote to memory of 1012	916	file.exe	28
PID 916 wrote to memory of 1012	916	file.exe	28
PID 916 wrote to memory of 1012	916	file.exe	28
PID 916 wrote to memory of 1012	916	file.exe	28
PID 916 wrote to memory of 1392	916	file.exe	29
PID 916 wrote to memory of 1392	916	file.exe	29
PID 916 wrote to memory of 1392	916	file.exe	29
PID 916 wrote to memory of 1392	916	file.exe	29
PID 916 wrote to memory of 1328	916	file.exe	31
PID 916 wrote to memory of 1328	916	file.exe	31
PID 916 wrote to memory of 1328	916	file.exe	31
PID 916 wrote to memory of 1328	916	file.exe	31

C:\Users\Admin\AppData\Local\Temp\74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe
"C:\Users\Admin\AppData\Local\Temp\74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Roaming\file.exe
  "C:\Users\Admin\AppData\Roaming\file.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule profile=any name=Win2y2
    3⤵
    - Modifies Windows Firewall
    PID:1012
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=out name=Win2y2 program="C:\Users\Admin\AppData\Roaming\file.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1392
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name=Win2y2 program="C:\Users\Admin\AppData\Roaming\file.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\file.exe

Filesize
120KB

MD5
812c7fc86d0f6213b42901e0900483e7

SHA1
09bfa3fe338cee7221857c347c4b4fea2f2eec49

SHA256
74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

SHA512
36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2

Download Submit
\Users\Admin\AppData\Roaming\file.exe

Filesize
120KB

MD5
812c7fc86d0f6213b42901e0900483e7

SHA1
09bfa3fe338cee7221857c347c4b4fea2f2eec49

SHA256
74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

SHA512
36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2

Download Submit
\Users\Admin\AppData\Roaming\file.exe

Filesize
120KB

MD5
812c7fc86d0f6213b42901e0900483e7

SHA1
09bfa3fe338cee7221857c347c4b4fea2f2eec49

SHA256
74a3e8f7d039ba03c0ef4b81de0cdd5ecae28b68afc6c03666de10a740d1ba47

SHA512
36c59ecd97e8ea794494a41c4e9e88baeaa8b9dfa5160256b2482e8a654ad5be0a5c283e51ad7e01672beb9d2f13122f425245023d490cf28e2b7d5c901983d2

Download Submit
memory/1000-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing