Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 09:13
Behavioral task
behavioral1
Sample
a0ab90b4490216516636d325d1a1d6ff.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a0ab90b4490216516636d325d1a1d6ff.exe
Resource
win10v2004-20230221-en
General
-
Target
a0ab90b4490216516636d325d1a1d6ff.exe
-
Size
37KB
-
MD5
a0ab90b4490216516636d325d1a1d6ff
-
SHA1
794c4e7e7fbb9623995b71f9adb3d8c2b1b2a3df
-
SHA256
e0c20f5a29873f39946092bb1a3a8c4be9b0dcf8a642e05bfc96e317cb19c7bc
-
SHA512
2f2d01ce2dfed25f009b26b331f66139b3a45855cbbd68947f9577616e9f9e584e9c7bf6a30e1e697b206cc2b91687b19bca084aa2a0303a946f516769abb9a7
-
SSDEEP
384:R286WIiejtCVLO309Qmykrt4QdqMjf+vWEWYrAF+rMRTyN/0L+EcoinblneHQM3/:1HdGdkrOGb+eE7rM+rMRa8NuDIt
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
a0ab90b4490216516636d325d1a1d6ff.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d698f966f33827a4c6bfcafca2ab9ed.exe a0ab90b4490216516636d325d1a1d6ff.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d698f966f33827a4c6bfcafca2ab9ed.exe a0ab90b4490216516636d325d1a1d6ff.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a0ab90b4490216516636d325d1a1d6ff.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d698f966f33827a4c6bfcafca2ab9ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a0ab90b4490216516636d325d1a1d6ff.exe\" .." a0ab90b4490216516636d325d1a1d6ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0d698f966f33827a4c6bfcafca2ab9ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a0ab90b4490216516636d325d1a1d6ff.exe\" .." a0ab90b4490216516636d325d1a1d6ff.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
a0ab90b4490216516636d325d1a1d6ff.exedescription ioc process File created C:\autorun.inf a0ab90b4490216516636d325d1a1d6ff.exe File opened for modification C:\autorun.inf a0ab90b4490216516636d325d1a1d6ff.exe File created D:\autorun.inf a0ab90b4490216516636d325d1a1d6ff.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0ab90b4490216516636d325d1a1d6ff.exepid process 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe 4632 a0ab90b4490216516636d325d1a1d6ff.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a0ab90b4490216516636d325d1a1d6ff.exepid process 4632 a0ab90b4490216516636d325d1a1d6ff.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
a0ab90b4490216516636d325d1a1d6ff.exedescription pid process Token: SeDebugPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: 33 4632 a0ab90b4490216516636d325d1a1d6ff.exe Token: SeIncBasePriorityPrivilege 4632 a0ab90b4490216516636d325d1a1d6ff.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a0ab90b4490216516636d325d1a1d6ff.exedescription pid process target process PID 4632 wrote to memory of 4120 4632 a0ab90b4490216516636d325d1a1d6ff.exe netsh.exe PID 4632 wrote to memory of 4120 4632 a0ab90b4490216516636d325d1a1d6ff.exe netsh.exe PID 4632 wrote to memory of 4120 4632 a0ab90b4490216516636d325d1a1d6ff.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ab90b4490216516636d325d1a1d6ff.exe"C:\Users\Admin\AppData\Local\Temp\a0ab90b4490216516636d325d1a1d6ff.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a0ab90b4490216516636d325d1a1d6ff.exe" "a0ab90b4490216516636d325d1a1d6ff.exe" ENABLE2⤵
- Modifies Windows Firewall