Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-04-2021 10:38
Static task
static1
Behavioral task
behavioral1
Sample
06df68d2_by_Libranalysis.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
06df68d2_by_Libranalysis.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
06df68d2_by_Libranalysis.exe
-
Size
23KB
-
MD5
06df68d23ca8adce4908f39e182b339e
-
SHA1
d1ce4822591a8739aaf5dad0fbeb64bca38581c7
-
SHA256
71cc1166c599e930469f5504583c37309bef66f36d575cf4c18813b7a77fbd6f
-
SHA512
164c80cebcac91c353c8fe9fa3a29d6b6dd831c5483048f60a8a9de60f0c34b1a00fb40f9670301dff05c0be9560ecc0a0db40f72b4ee1de7d3ef1f4d2649aed
Score
10/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
06df68d2_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\2aa70120b487afa04c3760d3ddc6aca3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\06df68d2_by_Libranalysis.exe\" .." 06df68d2_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2aa70120b487afa04c3760d3ddc6aca3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\06df68d2_by_Libranalysis.exe\" .." 06df68d2_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
06df68d2_by_Libranalysis.exedescription pid process Token: SeDebugPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe Token: 33 1268 06df68d2_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1268 06df68d2_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
06df68d2_by_Libranalysis.exedescription pid process target process PID 1268 wrote to memory of 1596 1268 06df68d2_by_Libranalysis.exe netsh.exe PID 1268 wrote to memory of 1596 1268 06df68d2_by_Libranalysis.exe netsh.exe PID 1268 wrote to memory of 1596 1268 06df68d2_by_Libranalysis.exe netsh.exe PID 1268 wrote to memory of 1596 1268 06df68d2_by_Libranalysis.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06df68d2_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\06df68d2_by_Libranalysis.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\06df68d2_by_Libranalysis.exe" "06df68d2_by_Libranalysis.exe" ENABLE2⤵