Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
04-12-2021 07:37
Behavioral task
behavioral1
Sample
8b1591597ee8d31f95502e15cb409bb7.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8b1591597ee8d31f95502e15cb409bb7.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
8b1591597ee8d31f95502e15cb409bb7.exe
-
Size
93KB
-
MD5
8b1591597ee8d31f95502e15cb409bb7
-
SHA1
e27d6a8fbea33a22fcb0e6a2932394200c2cd63a
-
SHA256
c802ad69a90e92057e9e356cb084b3673d27f8d012634318dc839f3a833a36b3
-
SHA512
ae2803ef4fa5c683ab2710924ca8c3d30e396048944160ef871aaf86fbb7ce260205eb6da8fb92392958829e56d494291fc52a29bb4be9500351769ba31e9364
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exedescription ioc process File created C:\Program Files (x86)\Explower.exe 8b1591597ee8d31f95502e15cb409bb7.exe File opened for modification C:\Program Files (x86)\Explower.exe 8b1591597ee8d31f95502e15cb409bb7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exepid process 1924 8b1591597ee8d31f95502e15cb409bb7.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exedescription pid process Token: SeDebugPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 1924 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 1924 8b1591597ee8d31f95502e15cb409bb7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exedescription pid process target process PID 1924 wrote to memory of 1708 1924 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe PID 1924 wrote to memory of 1708 1924 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe PID 1924 wrote to memory of 1708 1924 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe PID 1924 wrote to memory of 1708 1924 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe"C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe" "8b1591597ee8d31f95502e15cb409bb7.exe" ENABLE2⤵