bb9532c4c1f551755b701d781aeb17530ca72f54db4a08d3a08f3e1b371e2a1e

General

Target

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Size

37KB
MD5

a8d353fe68c4d8129cad19385b04bf94
SHA1

3bfa6c3c2ee96f829c8baf625fff8f7a5c2c5fbd
SHA256

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc
SHA512

39fbdc2ef9204564625600ed58d14090f3463576ce7bfce82117a98bf268bd169d9cf287cf5b779856a6075ba93b6932ef547d6b3bf3f8e261192762dc539772
SSDEEP

384:vuoPVSikmD0NVtv/Vey0bEGfF8s+yvErAF+rMRTyN/0L+EcoinblneHQM3epzXJn:m4HO1VV0bEGmVycrM+rMRa8Nuf9t

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

916 netsh.exe

pid	process
916	netsh.exe

Drops startup file 2 IoCs

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1bc01589947839912291841e607b317.exe	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e1bc01589947839912291841e607b317.exe	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1bc01589947839912291841e607b317 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe\" .."	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e1bc01589947839912291841e607b317 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe\" .."	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

description	ioc	process
File created	C:\autorun.inf	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
File opened for modification	C:\autorun.inf	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
File created	D:\autorun.inf	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

pid	process
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

pid process

1712 25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

description	pid	process
Token: SeDebugPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: 33	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
Token: SeIncBasePriorityPrivilege	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe

description	pid	process	target process
PID 1712 wrote to memory of 916	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe	netsh.exe
PID 1712 wrote to memory of 916	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe	netsh.exe
PID 1712 wrote to memory of 916	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe	netsh.exe
PID 1712 wrote to memory of 916	1712	25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe
"C:\Users\Admin\AppData\Local\Temp\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe" "25e95eb1e3a25afced9c5f161384f54242337b5ab4e542908cc3fc4b125b64bc.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-54-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/1712-60-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads