e0c20f5a29873f39946092bb1a3a8c4be9b0dcf8a642e05bfc96e317cb19c7bc

General

Target

a0ab90b4490216516636d325d1a1d6ff.exe
Size

37KB
MD5

a0ab90b4490216516636d325d1a1d6ff
SHA1

794c4e7e7fbb9623995b71f9adb3d8c2b1b2a3df
SHA256

e0c20f5a29873f39946092bb1a3a8c4be9b0dcf8a642e05bfc96e317cb19c7bc
SHA512

2f2d01ce2dfed25f009b26b331f66139b3a45855cbbd68947f9577616e9f9e584e9c7bf6a30e1e697b206cc2b91687b19bca084aa2a0303a946f516769abb9a7
SSDEEP

384:R286WIiejtCVLO309Qmykrt4QdqMjf+vWEWYrAF+rMRTyN/0L+EcoinblneHQM3/:1HdGdkrOGb+eE7rM+rMRa8NuDIt

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4120 netsh.exe

pid	process
4120	netsh.exe

Drops startup file 2 IoCs

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d698f966f33827a4c6bfcafca2ab9ed.exe	a0ab90b4490216516636d325d1a1d6ff.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d698f966f33827a4c6bfcafca2ab9ed.exe	a0ab90b4490216516636d325d1a1d6ff.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d698f966f33827a4c6bfcafca2ab9ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a0ab90b4490216516636d325d1a1d6ff.exe\" .."	a0ab90b4490216516636d325d1a1d6ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0d698f966f33827a4c6bfcafca2ab9ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a0ab90b4490216516636d325d1a1d6ff.exe\" .."	a0ab90b4490216516636d325d1a1d6ff.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

description	ioc	process
File created	C:\autorun.inf	a0ab90b4490216516636d325d1a1d6ff.exe
File opened for modification	C:\autorun.inf	a0ab90b4490216516636d325d1a1d6ff.exe
File created	D:\autorun.inf	a0ab90b4490216516636d325d1a1d6ff.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

pid	process
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe
4632	a0ab90b4490216516636d325d1a1d6ff.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

pid process

4632 a0ab90b4490216516636d325d1a1d6ff.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

description	pid	process
Token: SeDebugPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: 33	4632	a0ab90b4490216516636d325d1a1d6ff.exe
Token: SeIncBasePriorityPrivilege	4632	a0ab90b4490216516636d325d1a1d6ff.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a0ab90b4490216516636d325d1a1d6ff.exe

description	pid	process	target process
PID 4632 wrote to memory of 4120	4632	a0ab90b4490216516636d325d1a1d6ff.exe	netsh.exe
PID 4632 wrote to memory of 4120	4632	a0ab90b4490216516636d325d1a1d6ff.exe	netsh.exe
PID 4632 wrote to memory of 4120	4632	a0ab90b4490216516636d325d1a1d6ff.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a0ab90b4490216516636d325d1a1d6ff.exe
"C:\Users\Admin\AppData\Local\Temp\a0ab90b4490216516636d325d1a1d6ff.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a0ab90b4490216516636d325d1a1d6ff.exe" "a0ab90b4490216516636d325d1a1d6ff.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4632-133-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download
memory/4632-139-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads