Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 04:37
Static task
static1
Behavioral task
behavioral1
Sample
Test.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Test.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Test.exe
-
Size
157KB
-
MD5
f1753868a6f882634aec63147dc892c1
-
SHA1
a74ca1e6dadb04714923f9bc6ecd3c180f308d62
-
SHA256
85c592312019b0c16b5a3658d5ae4136d5bd64c5d7d00c03949c074d61df289e
-
SHA512
646dbe5654bb89b5e8160419f847053864faca6b17243f03b4aadede8ecba1836300714904a66ba9f988eb8edb30229277f2ec43ff635cd81d1cf25fef534510
Score
10/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Test.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1e397122988a7342da769a64e1ffe6c.exe Test.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1e397122988a7342da769a64e1ffe6c.exe Test.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Test.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\c1e397122988a7342da769a64e1ffe6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" .." Test.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c1e397122988a7342da769a64e1ffe6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" .." Test.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Test.exepid process 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe 1828 Test.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Test.exedescription pid process Token: SeDebugPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe Token: 33 1828 Test.exe Token: SeIncBasePriorityPrivilege 1828 Test.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Test.exedescription pid process target process PID 1828 wrote to memory of 3312 1828 Test.exe netsh.exe PID 1828 wrote to memory of 3312 1828 Test.exe netsh.exe PID 1828 wrote to memory of 3312 1828 Test.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Test.exe"C:\Users\Admin\AppData\Local\Temp\Test.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Test.exe" "Test.exe" ENABLE2⤵