Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-12-2021 07:37
Behavioral task
behavioral1
Sample
8b1591597ee8d31f95502e15cb409bb7.exe
Resource
win7-en-20211104
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8b1591597ee8d31f95502e15cb409bb7.exe
Resource
win10-en-20211014
0 signatures
0 seconds
General
-
Target
8b1591597ee8d31f95502e15cb409bb7.exe
-
Size
93KB
-
MD5
8b1591597ee8d31f95502e15cb409bb7
-
SHA1
e27d6a8fbea33a22fcb0e6a2932394200c2cd63a
-
SHA256
c802ad69a90e92057e9e356cb084b3673d27f8d012634318dc839f3a833a36b3
-
SHA512
ae2803ef4fa5c683ab2710924ca8c3d30e396048944160ef871aaf86fbb7ce260205eb6da8fb92392958829e56d494291fc52a29bb4be9500351769ba31e9364
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exedescription ioc process File opened for modification C:\Program Files (x86)\Explower.exe 8b1591597ee8d31f95502e15cb409bb7.exe File created C:\Program Files (x86)\Explower.exe 8b1591597ee8d31f95502e15cb409bb7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exepid process 2704 8b1591597ee8d31f95502e15cb409bb7.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exedescription pid process Token: SeDebugPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: 33 2704 8b1591597ee8d31f95502e15cb409bb7.exe Token: SeIncBasePriorityPrivilege 2704 8b1591597ee8d31f95502e15cb409bb7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8b1591597ee8d31f95502e15cb409bb7.exedescription pid process target process PID 2704 wrote to memory of 3612 2704 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe PID 2704 wrote to memory of 3612 2704 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe PID 2704 wrote to memory of 3612 2704 8b1591597ee8d31f95502e15cb409bb7.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe"C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8b1591597ee8d31f95502e15cb409bb7.exe" "8b1591597ee8d31f95502e15cb409bb7.exe" ENABLE2⤵