2fe3787ef46112ec56659f0476410355318fb5a079f7af4996966191eeb83948

General

Target

2toned (1).exe
Size

93KB
MD5

0f7ded44b2e9ae305f705b553bbb103a
SHA1

f59500f7b2ab7349d3d4642ce62d34733c30cef7
SHA256

2fe3787ef46112ec56659f0476410355318fb5a079f7af4996966191eeb83948
SHA512

78e56c6a96d4b01a61ab726cb549505edb431e8601064d59e9719c3b1276a3ef9ba047af9f7c2196f92b3d1f32e7185bc58fb9195efabb87b286224556b4ae71
SSDEEP

1536:tl4gCxdKt75sOTjonrzGVjEwzGi1dDhDsgS:tladKDhT4rzGii1dVF

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2684 netsh.exe
2688 netsh.exe
860 netsh.exe

pid	process
2684	netsh.exe
2688	netsh.exe
860	netsh.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2toned (1).exe

description	ioc	process
File created	F:\autorun.inf	2toned (1).exe
File opened for modification	F:\autorun.inf	2toned (1).exe
File created	C:\autorun.inf	2toned (1).exe
File opened for modification	C:\autorun.inf	2toned (1).exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2toned (1).exe

pid process

1068 2toned (1).exe

pid	process
1068	2toned (1).exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

2toned (1).exe

description	pid	process
Token: SeDebugPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe
Token: 33	1068	2toned (1).exe
Token: SeIncBasePriorityPrivilege	1068	2toned (1).exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2toned (1).exe

pid process

1068 2toned (1).exe

pid	process
1068	2toned (1).exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2toned (1).exe

description	pid	process	target process
PID 1068 wrote to memory of 860	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 860	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 860	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 860	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2684	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2684	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2684	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2684	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2688	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2688	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2688	1068	2toned (1).exe	netsh.exe
PID 1068 wrote to memory of 2688	1068	2toned (1).exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2toned (1).exe
"C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"
1⤵
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe" "2toned (1).exe" ENABLE
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:860

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe" "2toned (1).exe" ENABLE
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-0-0x0000000074F61000-0x0000000074F62000-memory.dmp

Filesize
4KB

Download
memory/1068-1-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-2-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-12-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads