Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 05:17
Behavioral task
behavioral1
Sample
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Resource
win10v2004-20230220-en
General
-
Target
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
-
Size
93KB
-
MD5
e7468e6a89aeedd909f7f838d16140ec
-
SHA1
61a285db4a887ed0bbf36a2291514ba6cbac1e85
-
SHA256
ff67d97ad0ddcac29d3081e30029a4014b7f1646a3bcc2541ef49c62ea718df5
-
SHA512
1da98e99db82b490f943414890966a4b6e13c74913cb0f0633890adf8007c269be203173e8e7e128a380fa8d14a32aad08f61a5ca2508dc15b9aefb62fd54ea4
-
SSDEEP
768:JY3zxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk31sG1:QxxOx6baIa9ROj00ljEwzGi1dDFDhgS
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exedescription ioc process File created C:\autorun.inf FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe File opened for modification C:\autorun.inf FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exepid process 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exepid process 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exedescription pid process Token: SeDebugPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: 33 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe Token: SeIncBasePriorityPrivilege 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exedescription pid process target process PID 1980 wrote to memory of 544 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe netsh.exe PID 1980 wrote to memory of 544 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe netsh.exe PID 1980 wrote to memory of 544 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe netsh.exe PID 1980 wrote to memory of 544 1980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe"C:\Users\Admin\AppData\Local\Temp\FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe"1⤵
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe" "FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1980-55-0x0000000002000000-0x0000000002040000-memory.dmpFilesize
256KB