35088ea25301db3dab3752a3ab02332083339080a3f8c8fd253b70607492aa26

max time kernel
1800s
max time network
1795s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-08-2023 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExcenSC.exe
Size

93KB
MD5

caa7446c3e832a53be9336da30627217
SHA1

fd6476edb0eada6f521ff9f22b58ea9ae5e1e957
SHA256

35088ea25301db3dab3752a3ab02332083339080a3f8c8fd253b70607492aa26
SHA512

330724395111ff77e43b172f62a30f22c7305125924d1ca9ac0977ad622794075ae5f07fc494ebb01ce886597436332d35dac711a7f3d228b47fe111da92f3d7
SSDEEP

768:cY3yGL30YTXspgM0m2zGjpyDtdXWuxtXYLWhyXxrjEtCdnl2pi1Rz4Rk3ysGdpq3:eGD0AA0mT1mrWxL5jEwzGi1dDODqgS

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
2900	netsh.exe
2668	netsh.exe
2872	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	ExcenSC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	ExcenSC.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	ExcenSC.exe
File opened for modification	C:\autorun.inf	ExcenSC.exe
File created	F:\autorun.inf	ExcenSC.exe
File opened for modification	F:\autorun.inf	ExcenSC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe
2888	ExcenSC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	ExcenSC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe
Token: SeIncBasePriorityPrivilege	2888	ExcenSC.exe
Token: 33	2888	ExcenSC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2900	2888	ExcenSC.exe	28
PID 2888 wrote to memory of 2900	2888	ExcenSC.exe	28
PID 2888 wrote to memory of 2900	2888	ExcenSC.exe	28
PID 2888 wrote to memory of 2900	2888	ExcenSC.exe	28
PID 2888 wrote to memory of 2668	2888	ExcenSC.exe	30
PID 2888 wrote to memory of 2668	2888	ExcenSC.exe	30
PID 2888 wrote to memory of 2668	2888	ExcenSC.exe	30
PID 2888 wrote to memory of 2668	2888	ExcenSC.exe	30
PID 2888 wrote to memory of 2872	2888	ExcenSC.exe	31
PID 2888 wrote to memory of 2872	2888	ExcenSC.exe	31
PID 2888 wrote to memory of 2872	2888	ExcenSC.exe	31
PID 2888 wrote to memory of 2872	2888	ExcenSC.exe	31

C:\Users\Admin\AppData\Local\Temp\ExcenSC.exe
"C:\Users\Admin\AppData\Local\Temp\ExcenSC.exe"
1⤵
- Drops startup file
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ExcenSC.exe" "ExcenSC.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2900
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\ExcenSC.exe"
  2⤵
  - Modifies Windows Firewall
  PID:2668
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ExcenSC.exe" "ExcenSC.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\Umbrella.flv.exe

Filesize
93KB

MD5
caa7446c3e832a53be9336da30627217

SHA1
fd6476edb0eada6f521ff9f22b58ea9ae5e1e957

SHA256
35088ea25301db3dab3752a3ab02332083339080a3f8c8fd253b70607492aa26

SHA512
330724395111ff77e43b172f62a30f22c7305125924d1ca9ac0977ad622794075ae5f07fc494ebb01ce886597436332d35dac711a7f3d228b47fe111da92f3d7

Download Submit
memory/2888-0-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2888-13-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-14-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-15-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download