Analysis
-
max time kernel
175s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en -
submitted
08-09-2021 14:17
Behavioral task
behavioral1
Sample
00B304CC27719527294CC81BA4761EF3.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
00B304CC27719527294CC81BA4761EF3.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
00B304CC27719527294CC81BA4761EF3.exe
-
Size
121KB
-
MD5
00b304cc27719527294cc81ba4761ef3
-
SHA1
2cf075ffd58e32d01d1098170a4d891eb870a476
-
SHA256
79de8a957ad063ca344492294a8effe23484f2edcff99800591eeebc3389ff26
-
SHA512
83c81f99dc7792486252078aba823d94b9f012e55f612e48e7370b229a474fc1da1c629ee9f76786e6764223dac0b8e676f5a888f28400be72780673dbc5c894
Score
10/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
00B304CC27719527294CC81BA4761EF3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\8eb3dc33a038541a526b690674af9470 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00B304CC27719527294CC81BA4761EF3.exe\" .." 00B304CC27719527294CC81BA4761EF3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8eb3dc33a038541a526b690674af9470 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00B304CC27719527294CC81BA4761EF3.exe\" .." 00B304CC27719527294CC81BA4761EF3.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
00B304CC27719527294CC81BA4761EF3.exedescription pid process Token: SeDebugPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe Token: 33 4564 00B304CC27719527294CC81BA4761EF3.exe Token: SeIncBasePriorityPrivilege 4564 00B304CC27719527294CC81BA4761EF3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
00B304CC27719527294CC81BA4761EF3.exedescription pid process target process PID 4564 wrote to memory of 3964 4564 00B304CC27719527294CC81BA4761EF3.exe netsh.exe PID 4564 wrote to memory of 3964 4564 00B304CC27719527294CC81BA4761EF3.exe netsh.exe PID 4564 wrote to memory of 3964 4564 00B304CC27719527294CC81BA4761EF3.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00B304CC27719527294CC81BA4761EF3.exe"C:\Users\Admin\AppData\Local\Temp\00B304CC27719527294CC81BA4761EF3.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\00B304CC27719527294CC81BA4761EF3.exe" "00B304CC27719527294CC81BA4761EF3.exe" ENABLE2⤵