Analysis
-
max time kernel
167s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 18:44
Behavioral task
behavioral1
Sample
a82da1bff532a65cd40a98f551263363.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a82da1bff532a65cd40a98f551263363.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
a82da1bff532a65cd40a98f551263363.exe
-
Size
93KB
-
MD5
a82da1bff532a65cd40a98f551263363
-
SHA1
7e48a49fdbd41965a5cab4bb848e59d3cda8b5f7
-
SHA256
3324e0b42bb2f59c605cdab74271e0c3b63a45786d1941d92b3b7abb6946a0e4
-
SHA512
7cbdcb64920a2a7eb87369a442620b05e2ea3914a64d62051b011b7b3d6e84a2197395660df47f3d2774b3886b0874c4d7b73218c7d3a644b6127ac83924e4a9
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a82da1bff532a65cd40a98f551263363.exepid process 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe 3032 a82da1bff532a65cd40a98f551263363.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a82da1bff532a65cd40a98f551263363.exepid process 3032 a82da1bff532a65cd40a98f551263363.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
a82da1bff532a65cd40a98f551263363.exedescription pid process Token: SeDebugPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe Token: 33 3032 a82da1bff532a65cd40a98f551263363.exe Token: SeIncBasePriorityPrivilege 3032 a82da1bff532a65cd40a98f551263363.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a82da1bff532a65cd40a98f551263363.exedescription pid process target process PID 3032 wrote to memory of 1092 3032 a82da1bff532a65cd40a98f551263363.exe netsh.exe PID 3032 wrote to memory of 1092 3032 a82da1bff532a65cd40a98f551263363.exe netsh.exe PID 3032 wrote to memory of 1092 3032 a82da1bff532a65cd40a98f551263363.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a82da1bff532a65cd40a98f551263363.exe"C:\Users\Admin\AppData\Local\Temp\a82da1bff532a65cd40a98f551263363.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a82da1bff532a65cd40a98f551263363.exe" "a82da1bff532a65cd40a98f551263363.exe" ENABLE2⤵