Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
30-11-2021 23:54
Behavioral task
behavioral1
Sample
e3dffd69771b03d9b2b51567436be26c.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e3dffd69771b03d9b2b51567436be26c.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
e3dffd69771b03d9b2b51567436be26c.exe
-
Size
31KB
-
MD5
e3dffd69771b03d9b2b51567436be26c
-
SHA1
30d685427e8d7524565a8bf3773bfb271b9a0030
-
SHA256
54622fa73246157a2e25e418d554d5ccafc663151ac067819d18f48caad9a32c
-
SHA512
3f01888856d43f25089ca64094fb26f75acec90f6b7b389caefb48aafc0ed764aa1edcc31ae3f6e5d43595b86fac18d8531f191c449d417a748b4a054772a11f
Score
10/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
e3dffd69771b03d9b2b51567436be26c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aaffeb7a5f54025070b8e182b1fa7d98.exe e3dffd69771b03d9b2b51567436be26c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aaffeb7a5f54025070b8e182b1fa7d98.exe e3dffd69771b03d9b2b51567436be26c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e3dffd69771b03d9b2b51567436be26c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaffeb7a5f54025070b8e182b1fa7d98 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e3dffd69771b03d9b2b51567436be26c.exe\" .." e3dffd69771b03d9b2b51567436be26c.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaffeb7a5f54025070b8e182b1fa7d98 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e3dffd69771b03d9b2b51567436be26c.exe\" .." e3dffd69771b03d9b2b51567436be26c.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
e3dffd69771b03d9b2b51567436be26c.exedescription pid process Token: SeDebugPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: 33 1600 e3dffd69771b03d9b2b51567436be26c.exe Token: SeIncBasePriorityPrivilege 1600 e3dffd69771b03d9b2b51567436be26c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e3dffd69771b03d9b2b51567436be26c.exedescription pid process target process PID 1600 wrote to memory of 764 1600 e3dffd69771b03d9b2b51567436be26c.exe netsh.exe PID 1600 wrote to memory of 764 1600 e3dffd69771b03d9b2b51567436be26c.exe netsh.exe PID 1600 wrote to memory of 764 1600 e3dffd69771b03d9b2b51567436be26c.exe netsh.exe PID 1600 wrote to memory of 764 1600 e3dffd69771b03d9b2b51567436be26c.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3dffd69771b03d9b2b51567436be26c.exe"C:\Users\Admin\AppData\Local\Temp\e3dffd69771b03d9b2b51567436be26c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\e3dffd69771b03d9b2b51567436be26c.exe" "e3dffd69771b03d9b2b51567436be26c.exe" ENABLE2⤵PID:764