Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 12:03
Static task
static1
Behavioral task
behavioral1
Sample
AUwfHmPk.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
AUwfHmPk.exe
-
Size
31KB
-
MD5
045107b240d368a311121457a8f2f627
-
SHA1
6c5b99dea02e36a5e3fbc091a0adc5e7e173b49a
-
SHA256
83ddef765b4ec295f3c690cf43f78afcf5e349efbc25a0f62a0df9f3656299ab
-
SHA512
b4597f42283ff8285582ded028ca8cea569245d4a06f2e437657070c9645446621b3a95a197480b53bd2bd9698b22c09eaa630b007757eb9e632424012eccdfd
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
AUwfHmPk.exedescription pid process Token: SeDebugPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe Token: 33 868 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 868 AUwfHmPk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
AUwfHmPk.exedescription pid process target process PID 868 wrote to memory of 1272 868 AUwfHmPk.exe netsh.exe PID 868 wrote to memory of 1272 868 AUwfHmPk.exe netsh.exe PID 868 wrote to memory of 1272 868 AUwfHmPk.exe netsh.exe PID 868 wrote to memory of 1272 868 AUwfHmPk.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AUwfHmPk.exe"C:\Users\Admin\AppData\Local\Temp\AUwfHmPk.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AUwfHmPk.exe" "AUwfHmPk.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-2-0x0000000000000000-mapping.dmp