Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 14:04
Behavioral task
behavioral1
Sample
e741074fedb4ec508e304ecb834d78aa.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e741074fedb4ec508e304ecb834d78aa.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
e741074fedb4ec508e304ecb834d78aa.exe
-
Size
37KB
-
MD5
e741074fedb4ec508e304ecb834d78aa
-
SHA1
2189c0ffa7ba0d2c64dd9dea2b00b967f4de2d93
-
SHA256
fdd90c147010114bf0d334c72cfba5a164c26b1f8fdd1e04271901f1152765dc
-
SHA512
33a862402852c7604ade1b028a229d0915e8e096e80a97b7149aea85bfb33e13653e21bd2f476a09646186a31bb42acd2f990e701397ca786641c9c4d9539f53
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e741074fedb4ec508e304ecb834d78aa.exepid process 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe 1088 e741074fedb4ec508e304ecb834d78aa.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
e741074fedb4ec508e304ecb834d78aa.exepid process 1088 e741074fedb4ec508e304ecb834d78aa.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
e741074fedb4ec508e304ecb834d78aa.exedescription pid process Token: SeDebugPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: 33 1088 e741074fedb4ec508e304ecb834d78aa.exe Token: SeIncBasePriorityPrivilege 1088 e741074fedb4ec508e304ecb834d78aa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e741074fedb4ec508e304ecb834d78aa.exedescription pid process target process PID 1088 wrote to memory of 1668 1088 e741074fedb4ec508e304ecb834d78aa.exe netsh.exe PID 1088 wrote to memory of 1668 1088 e741074fedb4ec508e304ecb834d78aa.exe netsh.exe PID 1088 wrote to memory of 1668 1088 e741074fedb4ec508e304ecb834d78aa.exe netsh.exe PID 1088 wrote to memory of 1668 1088 e741074fedb4ec508e304ecb834d78aa.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e741074fedb4ec508e304ecb834d78aa.exe"C:\Users\Admin\AppData\Local\Temp\e741074fedb4ec508e304ecb834d78aa.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\e741074fedb4ec508e304ecb834d78aa.exe" "e741074fedb4ec508e304ecb834d78aa.exe" ENABLE2⤵