Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 12:03
Static task
static1
Behavioral task
behavioral1
Sample
AUwfHmPk.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
AUwfHmPk.exe
-
Size
31KB
-
MD5
045107b240d368a311121457a8f2f627
-
SHA1
6c5b99dea02e36a5e3fbc091a0adc5e7e173b49a
-
SHA256
83ddef765b4ec295f3c690cf43f78afcf5e349efbc25a0f62a0df9f3656299ab
-
SHA512
b4597f42283ff8285582ded028ca8cea569245d4a06f2e437657070c9645446621b3a95a197480b53bd2bd9698b22c09eaa630b007757eb9e632424012eccdfd
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
AUwfHmPk.exedescription pid process Token: SeDebugPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe Token: 33 4708 AUwfHmPk.exe Token: SeIncBasePriorityPrivilege 4708 AUwfHmPk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AUwfHmPk.exedescription pid process target process PID 4708 wrote to memory of 3292 4708 AUwfHmPk.exe netsh.exe PID 4708 wrote to memory of 3292 4708 AUwfHmPk.exe netsh.exe PID 4708 wrote to memory of 3292 4708 AUwfHmPk.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AUwfHmPk.exe"C:\Users\Admin\AppData\Local\Temp\AUwfHmPk.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AUwfHmPk.exe" "AUwfHmPk.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3292-2-0x0000000000000000-mapping.dmp