ff67d97ad0ddcac29d3081e30029a4014b7f1646a3bcc2541ef49c62ea718df5

General

Target

FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Size

93KB
MD5

e7468e6a89aeedd909f7f838d16140ec
SHA1

61a285db4a887ed0bbf36a2291514ba6cbac1e85
SHA256

ff67d97ad0ddcac29d3081e30029a4014b7f1646a3bcc2541ef49c62ea718df5
SHA512

1da98e99db82b490f943414890966a4b6e13c74913cb0f0633890adf8007c269be203173e8e7e128a380fa8d14a32aad08f61a5ca2508dc15b9aefb62fd54ea4
SSDEEP

768:JY3zxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk31sG1:QxxOx6baIa9ROj00ljEwzGi1dDFDhgS

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1108 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1108	netsh.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

description	ioc	process
File created	C:\autorun.inf	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
File opened for modification	C:\autorun.inf	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

pid	process
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

pid process

3980 FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

description	pid	process
Token: SeDebugPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: 33	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
Token: SeIncBasePriorityPrivilege	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe

description	pid	process	target process
PID 3980 wrote to memory of 1108	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe	netsh.exe
PID 3980 wrote to memory of 1108	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe	netsh.exe
PID 3980 wrote to memory of 1108	3980	FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe
"C:\Users\Admin\AppData\Local\Temp\FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe"
1⤵
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe" "FF67D97AD0DDCAC29D3081E30029A4014B7F1646A3BCC.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3980-133-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download
memory/3980-139-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads