af20d219cb1b2a55aa52637195a6f797f6fb980148735c54e5598c224d32307e

General

Target

5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Size

93KB
MD5

627d146f44e901aa1bcd48effb3b788f
SHA1

8964f3c422dc04d0e71c7fe8439df4da708eeb3b
SHA256

5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e
SHA512

91c3cb47d136166b11fd64c5efad4ce063197ea42de19dc74c9b557e82ec7b8f15b9dace70891259abd27d0775b8efccf089f34f44586350d383268568ae12c5
SSDEEP

768:lY31Um/o9eUVTsZ4E+rLDPQmJ/ewL54lLdJXn5513Sr2YxgXxrjEtCdnl2pi1RzC:yUeoZp/eM4LvFSrdqjEwzGi1dDcD/gS

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4456 netsh.exe

pid	process
4456	netsh.exe

Drops startup file 2 IoCs

Processes:

5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.exe	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.exe	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

35 0.tcp.eu.ngrok.io
52 0.tcp.eu.ngrok.io
65 0.tcp.eu.ngrok.io
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

pid process

228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

flow	ioc
35	0.tcp.eu.ngrok.io
52	0.tcp.eu.ngrok.io
65	0.tcp.eu.ngrok.io

pid	process
228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

description	pid	process
Token: SeDebugPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: 33	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Token: SeIncBasePriorityPrivilege	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe

description	pid	process	target process
PID 228 wrote to memory of 4456	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe	netsh.exe
PID 228 wrote to memory of 4456	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe	netsh.exe
PID 228 wrote to memory of 4456	228	5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
"C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe"
1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe" "5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-0-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/228-1-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/228-2-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/228-5-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/228-6-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/228-7-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads