bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94 | Triage

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2023 19:41

Sharing

Report Analysis Logs

General

Target

017fa7a20c92152e2a5533f75f090469.exe
Size

93KB
MD5

017fa7a20c92152e2a5533f75f090469
SHA1

7ea751d6b4f9f03e4f23603103edc4ccfdebbfdc
SHA256

bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94
SHA512

6d330633b96af51187c362c280e00d3a0a199bf4ff5f21dfddd591dbffafd18b9e0fb5154dffbae0c94790addc62763c872ce10c7ae93a4cdf73e1b26d303ba5
SSDEEP

1536:TewOQIBlfGQFk2ZonmzaMxjEwzGi1dDsD1gS:TewMtFk2ZonmuMOi1dSC

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exe

pid process

3188 netsh.exe
768 netsh.exe
4688 netsh.exe

Drops startup file 6 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	017fa7a20c92152e2a5533f75f090469.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	017fa7a20c92152e2a5533f75f090469.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03c49c7f7bdfd684069ba84c510171c9Steam.exe	017fa7a20c92152e2a5533f75f090469.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03c49c7f7bdfd684069ba84c510171c9Steam.exe	017fa7a20c92152e2a5533f75f090469.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	017fa7a20c92152e2a5533f75f090469.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	017fa7a20c92152e2a5533f75f090469.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	017fa7a20c92152e2a5533f75f090469.exe
File created	C:\Windows\SysWOW64\Explower.exe	017fa7a20c92152e2a5533f75f090469.exe

Drops file in Program Files directory 2 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

description	ioc	process
File created	C:\Program Files (x86)\Explower.exe	017fa7a20c92152e2a5533f75f090469.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	017fa7a20c92152e2a5533f75f090469.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

pid	process
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe
1520	017fa7a20c92152e2a5533f75f090469.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

pid process

1520 017fa7a20c92152e2a5533f75f090469.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

description	pid	process
Token: SeDebugPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: 33	1520	017fa7a20c92152e2a5533f75f090469.exe
Token: SeIncBasePriorityPrivilege	1520	017fa7a20c92152e2a5533f75f090469.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

017fa7a20c92152e2a5533f75f090469.exe

description	pid	process	target process
PID 1520 wrote to memory of 3188	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 3188	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 3188	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 4688	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 4688	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 4688	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 768	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 768	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe
PID 1520 wrote to memory of 768	1520	017fa7a20c92152e2a5533f75f090469.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe
"C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe" "017fa7a20c92152e2a5533f75f090469.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3188

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe" "017fa7a20c92152e2a5533f75f090469.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:768

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\017fa7a20c92152e2a5533f75f090469.exe"
2⤵
- Modifies Windows Firewall
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
017fa7a20c92152e2a5533f75f090469

SHA1
7ea751d6b4f9f03e4f23603103edc4ccfdebbfdc

SHA256
bc9c846acf87982d46c27024cd876656135ecffa39bd5406beb77af3df215e94

SHA512
6d330633b96af51187c362c280e00d3a0a199bf4ff5f21dfddd591dbffafd18b9e0fb5154dffbae0c94790addc62763c872ce10c7ae93a4cdf73e1b26d303ba5

Download Submit
memory/1520-0-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/1520-1-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/1520-2-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/1520-19-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/1520-20-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download