Analysis
-
max time kernel
148s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 17:50
Behavioral task
behavioral1
Sample
2toned (1).exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2toned (1).exe
Resource
win10v2004-20240508-en
General
-
Target
2toned (1).exe
-
Size
93KB
-
MD5
0f7ded44b2e9ae305f705b553bbb103a
-
SHA1
f59500f7b2ab7349d3d4642ce62d34733c30cef7
-
SHA256
2fe3787ef46112ec56659f0476410355318fb5a079f7af4996966191eeb83948
-
SHA512
78e56c6a96d4b01a61ab726cb549505edb431e8601064d59e9719c3b1276a3ef9ba047af9f7c2196f92b3d1f32e7185bc58fb9195efabb87b286224556b4ae71
-
SSDEEP
1536:tl4gCxdKt75sOTjonrzGVjEwzGi1dDhDsgS:tladKDhT4rzGii1dVF
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1968 netsh.exe 4956 netsh.exe 4972 netsh.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
2toned (1).exedescription ioc process File created C:\autorun.inf 2toned (1).exe File opened for modification C:\autorun.inf 2toned (1).exe File created F:\autorun.inf 2toned (1).exe File opened for modification F:\autorun.inf 2toned (1).exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2toned (1).exepid process 4636 2toned (1).exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
2toned (1).exedescription pid process Token: SeDebugPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe Token: 33 4636 2toned (1).exe Token: SeIncBasePriorityPrivilege 4636 2toned (1).exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
2toned (1).exepid process 4636 2toned (1).exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2toned (1).exedescription pid process target process PID 4636 wrote to memory of 1968 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 1968 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 1968 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 4956 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 4956 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 4956 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 4972 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 4972 4636 2toned (1).exe netsh.exe PID 4636 wrote to memory of 4972 4636 2toned (1).exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"1⤵
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe" "2toned (1).exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2toned (1).exe" "2toned (1).exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4636-0-0x0000000074C42000-0x0000000074C43000-memory.dmpFilesize
4KB
-
memory/4636-1-0x0000000074C40000-0x00000000751F1000-memory.dmpFilesize
5.7MB
-
memory/4636-2-0x0000000074C40000-0x00000000751F1000-memory.dmpFilesize
5.7MB
-
memory/4636-12-0x0000000074C42000-0x0000000074C43000-memory.dmpFilesize
4KB
-
memory/4636-13-0x0000000074C40000-0x00000000751F1000-memory.dmpFilesize
5.7MB