Analysis
-
max time kernel
155s -
max time network
156s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-04-2021 11:44
Static task
static1
Behavioral task
behavioral1
Sample
06df68d23ca8adce4908f39e182b339e.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
06df68d23ca8adce4908f39e182b339e.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
06df68d23ca8adce4908f39e182b339e.exe
-
Size
23KB
-
MD5
06df68d23ca8adce4908f39e182b339e
-
SHA1
d1ce4822591a8739aaf5dad0fbeb64bca38581c7
-
SHA256
71cc1166c599e930469f5504583c37309bef66f36d575cf4c18813b7a77fbd6f
-
SHA512
164c80cebcac91c353c8fe9fa3a29d6b6dd831c5483048f60a8a9de60f0c34b1a00fb40f9670301dff05c0be9560ecc0a0db40f72b4ee1de7d3ef1f4d2649aed
Score
10/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
06df68d23ca8adce4908f39e182b339e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\2aa70120b487afa04c3760d3ddc6aca3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\06df68d23ca8adce4908f39e182b339e.exe\" .." 06df68d23ca8adce4908f39e182b339e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2aa70120b487afa04c3760d3ddc6aca3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\06df68d23ca8adce4908f39e182b339e.exe\" .." 06df68d23ca8adce4908f39e182b339e.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
06df68d23ca8adce4908f39e182b339e.exedescription pid process Token: SeDebugPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe Token: 33 756 06df68d23ca8adce4908f39e182b339e.exe Token: SeIncBasePriorityPrivilege 756 06df68d23ca8adce4908f39e182b339e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
06df68d23ca8adce4908f39e182b339e.exedescription pid process target process PID 756 wrote to memory of 1716 756 06df68d23ca8adce4908f39e182b339e.exe netsh.exe PID 756 wrote to memory of 1716 756 06df68d23ca8adce4908f39e182b339e.exe netsh.exe PID 756 wrote to memory of 1716 756 06df68d23ca8adce4908f39e182b339e.exe netsh.exe PID 756 wrote to memory of 1716 756 06df68d23ca8adce4908f39e182b339e.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06df68d23ca8adce4908f39e182b339e.exe"C:\Users\Admin\AppData\Local\Temp\06df68d23ca8adce4908f39e182b339e.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\06df68d23ca8adce4908f39e182b339e.exe" "06df68d23ca8adce4908f39e182b339e.exe" ENABLE2⤵