9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816

General

Target

9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Size

37KB
MD5

93a389000ec4dcbbae139d573e7b0d60
SHA1

16a787f72716de7d215ad11d459a0f4f354dc798
SHA256

9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816
SHA512

7dcdd2fb34c0498850b6c2f8cc97155bb082527d185fca710a33ded92bab8bac9ed01cefb67c26b263db47dcde2de3fd59706f2bd81582b09fed601eefa1976b
SSDEEP

384:EcN+6WIiejtCVLO309Qmykrt4QdqMjf+vWEWYrAF+rMRTyN/0L+EcoinblneHQM:LoHdGdkrOGb+eE7rM+rMRa8NupHt

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1932	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: 33	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
Token: SeIncBasePriorityPrivilege	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1932	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe	30
PID 1980 wrote to memory of 1932	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe	30
PID 1980 wrote to memory of 1932	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe	30
PID 1980 wrote to memory of 1932	1980	9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe	30

C:\Users\Admin\AppData\Local\Temp\9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe
"C:\Users\Admin\AppData\Local\Temp\9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe" "9f5aa25adaa95bc0bfaab044cadddf8da160c33a88ffe98c3f91817802446816N.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/1980-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-3-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads