f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

General

Target

Majid Z Hacker.exe
Size

462KB
MD5

a8a8d6f3b48466242959545235d1c9b6
SHA1

0c2d670dc3b3b07a2498756e1d46fd1fee53a621
SHA256

09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec
SHA512

09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796
SSDEEP

12288:6rs81bE0LfUk6XLbwxMY4R/3CDOpeYYhN7zjYC/M:6H5rh6XPbYuCDOpmPzjZM

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 30 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3068	netsh.exe
1912	netsh.exe
3068	netsh.exe
4780	netsh.exe
1220	netsh.exe
2640	netsh.exe
1988	netsh.exe
4572	netsh.exe
4300	netsh.exe
1524	netsh.exe
3588	netsh.exe
1700	netsh.exe
1736	netsh.exe
1924	netsh.exe
1716	netsh.exe
2508	netsh.exe
3576	netsh.exe
1472	netsh.exe
1704	netsh.exe
4880	netsh.exe
644	netsh.exe
3132	netsh.exe
4816	netsh.exe
2056	netsh.exe
1392	netsh.exe
3812	netsh.exe
2748	netsh.exe
2844	netsh.exe
3372	netsh.exe
640	netsh.exe

Drops startup file 2 IoCs

Processes:

firewall.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	firewall.exe

Executes dropped EXE 6 IoCs

Processes:

firewall.exefirewall.exefirewall.exefirewall.exefirewall.exefirewall.exe

pid process

2848 firewall.exe
3932 firewall.exe
1616 firewall.exe
1408 firewall.exe
5080 firewall.exe
380 firewall.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

firewall.exefirewall.exefirewall.exefirewall.exefirewall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\34d91dfb34a7283483d0aaba9d10147d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe"	firewall.exe

Drops autorun.inf file 1 TTPs 16 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

firewall.exefirewall.exe

description	ioc	process
File created	C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Music\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\autorun.inf	firewall.exe
File created	C:\Users\Admin\Documents\My Videos\autorun.inf	firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

firewall.exe

pid	process
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe
2848	firewall.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firewall.exedw20.exefirewall.exefirewall.exefirewall.exefirewall.exe

description	pid	process
Token: SeDebugPrivilege	2848	firewall.exe
Token: SeRestorePrivilege	3860	dw20.exe
Token: SeBackupPrivilege	3860	dw20.exe
Token: SeBackupPrivilege	3860	dw20.exe
Token: SeBackupPrivilege	3860	dw20.exe
Token: SeDebugPrivilege	1616	firewall.exe
Token: SeDebugPrivilege	1408	firewall.exe
Token: SeDebugPrivilege	5080	firewall.exe
Token: SeDebugPrivilege	380	firewall.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

Majid Z Hacker.exeMajid Z Hacker.exefirewall.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exeMajid Z Hacker.exefirewall.exe

description	pid	process	target process
PID 3876 wrote to memory of 2948	3876	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 3876 wrote to memory of 2948	3876	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 3876 wrote to memory of 2948	3876	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 3876 wrote to memory of 2848	3876	Majid Z Hacker.exe	firewall.exe
PID 3876 wrote to memory of 2848	3876	Majid Z Hacker.exe	firewall.exe
PID 3876 wrote to memory of 2848	3876	Majid Z Hacker.exe	firewall.exe
PID 2948 wrote to memory of 4976	2948	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2948 wrote to memory of 4976	2948	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2948 wrote to memory of 4976	2948	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2948 wrote to memory of 3932	2948	Majid Z Hacker.exe	firewall.exe
PID 2948 wrote to memory of 3932	2948	Majid Z Hacker.exe	firewall.exe
PID 2948 wrote to memory of 3932	2948	Majid Z Hacker.exe	firewall.exe
PID 3932 wrote to memory of 3860	3932	firewall.exe	dw20.exe
PID 3932 wrote to memory of 3860	3932	firewall.exe	dw20.exe
PID 3932 wrote to memory of 3860	3932	firewall.exe	dw20.exe
PID 2848 wrote to memory of 2844	2848	firewall.exe	netsh.exe
PID 2848 wrote to memory of 2844	2848	firewall.exe	netsh.exe
PID 2848 wrote to memory of 2844	2848	firewall.exe	netsh.exe
PID 4976 wrote to memory of 4404	4976	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4976 wrote to memory of 4404	4976	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4976 wrote to memory of 4404	4976	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4976 wrote to memory of 1616	4976	Majid Z Hacker.exe	firewall.exe
PID 4976 wrote to memory of 1616	4976	Majid Z Hacker.exe	firewall.exe
PID 4976 wrote to memory of 1616	4976	Majid Z Hacker.exe	firewall.exe
PID 1616 wrote to memory of 1716	1616	firewall.exe	netsh.exe
PID 1616 wrote to memory of 1716	1616	firewall.exe	netsh.exe
PID 1616 wrote to memory of 1716	1616	firewall.exe	netsh.exe
PID 4404 wrote to memory of 3924	4404	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4404 wrote to memory of 3924	4404	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4404 wrote to memory of 3924	4404	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4404 wrote to memory of 1408	4404	Majid Z Hacker.exe	firewall.exe
PID 4404 wrote to memory of 1408	4404	Majid Z Hacker.exe	firewall.exe
PID 4404 wrote to memory of 1408	4404	Majid Z Hacker.exe	firewall.exe
PID 1408 wrote to memory of 3068	1408	firewall.exe	netsh.exe
PID 1408 wrote to memory of 3068	1408	firewall.exe	netsh.exe
PID 1408 wrote to memory of 3068	1408	firewall.exe	netsh.exe
PID 3924 wrote to memory of 2412	3924	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 3924 wrote to memory of 2412	3924	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 3924 wrote to memory of 2412	3924	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 3924 wrote to memory of 5080	3924	Majid Z Hacker.exe	firewall.exe
PID 3924 wrote to memory of 5080	3924	Majid Z Hacker.exe	firewall.exe
PID 3924 wrote to memory of 5080	3924	Majid Z Hacker.exe	firewall.exe
PID 5080 wrote to memory of 644	5080	firewall.exe	Conhost.exe
PID 5080 wrote to memory of 644	5080	firewall.exe	Conhost.exe
PID 5080 wrote to memory of 644	5080	firewall.exe	Conhost.exe
PID 2412 wrote to memory of 3724	2412	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2412 wrote to memory of 3724	2412	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2412 wrote to memory of 3724	2412	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 2412 wrote to memory of 380	2412	Majid Z Hacker.exe	firewall.exe
PID 2412 wrote to memory of 380	2412	Majid Z Hacker.exe	firewall.exe
PID 2412 wrote to memory of 380	2412	Majid Z Hacker.exe	firewall.exe
PID 380 wrote to memory of 1524	380	firewall.exe	netsh.exe
PID 380 wrote to memory of 1524	380	firewall.exe	netsh.exe
PID 380 wrote to memory of 1524	380	firewall.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
7⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
8⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
9⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
10⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
11⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
12⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
13⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
14⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
15⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
16⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
17⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
18⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
19⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
20⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
21⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
22⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
23⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
24⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
25⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
26⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
27⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
28⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
29⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
30⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
31⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
32⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
32⤵
PID:3580

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
33⤵
- Modifies Windows Firewall
PID:4300

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
31⤵
PID:4720

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
32⤵
- Modifies Windows Firewall
PID:4572

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
30⤵
PID:2400

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
31⤵
- Modifies Windows Firewall
PID:4880

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
29⤵
PID:3364

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
30⤵
- Modifies Windows Firewall
PID:4780

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
28⤵
PID:1268

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
29⤵
- Modifies Windows Firewall
PID:1704

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
27⤵
PID:3768

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
28⤵
- Modifies Windows Firewall
PID:2056

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
26⤵
PID:3160

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
27⤵
- Modifies Windows Firewall
PID:1988

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
25⤵
PID:4200

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
26⤵
- Modifies Windows Firewall
PID:4816

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
24⤵
PID:4424

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
25⤵
- Modifies Windows Firewall
PID:3132

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
23⤵
PID:4660

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
24⤵
- Modifies Windows Firewall
PID:640

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
22⤵
PID:1396

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
23⤵
- Modifies Windows Firewall
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
24⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
21⤵
PID:5032

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
22⤵
- Modifies Windows Firewall
PID:1472

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
20⤵
PID:1532

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
21⤵
- Modifies Windows Firewall
PID:2748

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
19⤵
PID:4952

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
20⤵
- Modifies Windows Firewall
PID:3576

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
18⤵
PID:3760

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
19⤵
- Modifies Windows Firewall
PID:1924

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
17⤵
PID:3500

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
18⤵
- Modifies Windows Firewall
PID:3372

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
16⤵
PID:2728

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
17⤵
- Modifies Windows Firewall
PID:2640

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
15⤵
PID:5020

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
16⤵
- Modifies Windows Firewall
PID:1700

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
14⤵
PID:2916

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
15⤵
- Modifies Windows Firewall
PID:1220

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
13⤵
PID:1780

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
14⤵
- Modifies Windows Firewall
PID:3588

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
12⤵
PID:5060

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
13⤵
- Modifies Windows Firewall
PID:3068

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
11⤵
PID:3080

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
12⤵
- Modifies Windows Firewall
PID:2508

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
10⤵
PID:1256

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
11⤵
- Modifies Windows Firewall
PID:3812

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
9⤵
PID:1556

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
10⤵
- Modifies Windows Firewall
PID:1912

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
8⤵
PID:3340

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
9⤵
- Modifies Windows Firewall
PID:1392

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
8⤵
- Modifies Windows Firewall
PID:1524

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
7⤵
- Modifies Windows Firewall
PID:644

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:3068

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:1716

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 864
4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat

Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\firewall.exe

Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
C:\Users\Admin\Documents\My Music\autorun.inf

Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Documents\My Pictures\autorun.inf

Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Documents\My Videos\autorun.inf

Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf

Filesize
323B

MD5
f949be5c00056b76437bc780e92999de

SHA1
fd9920081f3bf1e7eb86433b1ac1a4d8f25174e6

SHA256
3c4ffecacd1c4c008d3fb69855972b2209e12e9695386b687038e12c5ec80ce8

SHA512
619eec04a8c1cce943aa27f69f65480428f07685a03a543d69800e0fdc41321ccd2cc57ff7ba310d22a0196b6cfdb5b30e5331c1a1ac6f0c94382cb27d32f270

Download Submit
memory/2848-8-0x00000000733E1000-0x00000000733E2000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x00000000733E0000-0x0000000073991000-memory.dmp

Filesize
5.7MB

Download
memory/2848-11-0x00000000733E0000-0x0000000073991000-memory.dmp

Filesize
5.7MB

Download
memory/2848-437-0x00000000733E0000-0x0000000073991000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads