Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 17:50
Behavioral task
behavioral1
Sample
2toned (1).exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2toned (1).exe
Resource
win10v2004-20240508-en
General
-
Target
2toned (1).exe
-
Size
93KB
-
MD5
0f7ded44b2e9ae305f705b553bbb103a
-
SHA1
f59500f7b2ab7349d3d4642ce62d34733c30cef7
-
SHA256
2fe3787ef46112ec56659f0476410355318fb5a079f7af4996966191eeb83948
-
SHA512
78e56c6a96d4b01a61ab726cb549505edb431e8601064d59e9719c3b1276a3ef9ba047af9f7c2196f92b3d1f32e7185bc58fb9195efabb87b286224556b4ae71
-
SSDEEP
1536:tl4gCxdKt75sOTjonrzGVjEwzGi1dDhDsgS:tladKDhT4rzGii1dVF
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2684 netsh.exe 2688 netsh.exe 860 netsh.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
2toned (1).exedescription ioc process File created F:\autorun.inf 2toned (1).exe File opened for modification F:\autorun.inf 2toned (1).exe File created C:\autorun.inf 2toned (1).exe File opened for modification C:\autorun.inf 2toned (1).exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2toned (1).exepid process 1068 2toned (1).exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
2toned (1).exedescription pid process Token: SeDebugPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe Token: 33 1068 2toned (1).exe Token: SeIncBasePriorityPrivilege 1068 2toned (1).exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
2toned (1).exepid process 1068 2toned (1).exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2toned (1).exedescription pid process target process PID 1068 wrote to memory of 860 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 860 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 860 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 860 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2684 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2684 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2684 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2684 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2688 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2688 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2688 1068 2toned (1).exe netsh.exe PID 1068 wrote to memory of 2688 1068 2toned (1).exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"1⤵
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe" "2toned (1).exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe" "2toned (1).exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-0-0x0000000074F61000-0x0000000074F62000-memory.dmpFilesize
4KB
-
memory/1068-1-0x0000000074F60000-0x000000007550B000-memory.dmpFilesize
5.7MB
-
memory/1068-2-0x0000000074F60000-0x000000007550B000-memory.dmpFilesize
5.7MB
-
memory/1068-12-0x0000000074F60000-0x000000007550B000-memory.dmpFilesize
5.7MB