a5f74051f317f52f6d2fbe9546fb92cf985aefbbcf74f6694e5b70095d8c637f

General

Target

7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Size

93KB
MD5

7d751c5400ebc2f605dcbeaf9bcb9d89
SHA1

e8fd45c97fef85d3509ee2737c5936c35ae4e222
SHA256

a5f74051f317f52f6d2fbe9546fb92cf985aefbbcf74f6694e5b70095d8c637f
SHA512

413a7dbf1e13524d0eed52ed0849b6ae67b5abaf525944d1bcb4f4bc66c10dbad40b000f222162eebc99cd38a24bb4d76a7693f7b5ec28cebcb835c3f5f7ee9b
SSDEEP

1536:mxuYW6qbkW8aVpO1iRkoojEwzGi1dD5D8gS:mxW8aVpOwSCi1dFV

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
576	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	7d751c5400ebc2f605dcbeaf9bcb9d89.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
File opened for modification	C:\autorun.inf	7d751c5400ebc2f605dcbeaf9bcb9d89.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	7d751c5400ebc2f605dcbeaf9bcb9d89.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	7d751c5400ebc2f605dcbeaf9bcb9d89.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: 33	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Token: SeIncBasePriorityPrivilege	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 576	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe	28
PID 2032 wrote to memory of 576	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe	28
PID 2032 wrote to memory of 576	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe	28
PID 2032 wrote to memory of 576	2032	7d751c5400ebc2f605dcbeaf9bcb9d89.exe	28

C:\Users\Admin\AppData\Local\Temp\7d751c5400ebc2f605dcbeaf9bcb9d89.exe
"C:\Users\Admin\AppData\Local\Temp\7d751c5400ebc2f605dcbeaf9bcb9d89.exe"
1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7d751c5400ebc2f605dcbeaf9bcb9d89.exe" "7d751c5400ebc2f605dcbeaf9bcb9d89.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Explower.exe

Filesize
93KB

MD5
7d751c5400ebc2f605dcbeaf9bcb9d89

SHA1
e8fd45c97fef85d3509ee2737c5936c35ae4e222

SHA256
a5f74051f317f52f6d2fbe9546fb92cf985aefbbcf74f6694e5b70095d8c637f

SHA512
413a7dbf1e13524d0eed52ed0849b6ae67b5abaf525944d1bcb4f4bc66c10dbad40b000f222162eebc99cd38a24bb4d76a7693f7b5ec28cebcb835c3f5f7ee9b

Download Submit
memory/2032-55-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2032-70-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads