Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 23:08
Behavioral task
behavioral1
Sample
ad6d18c89eef983fc9f430c196126c8d.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ad6d18c89eef983fc9f430c196126c8d.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
ad6d18c89eef983fc9f430c196126c8d.exe
-
Size
37KB
-
MD5
ad6d18c89eef983fc9f430c196126c8d
-
SHA1
afb1de83bc99267054f39829d9a43974b9e40a20
-
SHA256
c54173049678a8818d2857d63c4b671ffe1652c74280ede9f210f542881e0287
-
SHA512
3bee79110ff9394828d4505648c0895f3fa2986e633da418532937cfb0160e30b99f163f3ca1895b0765f61bafd9d1969eec78c0f50aa29d04ae731dde5ea92e
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
ad6d18c89eef983fc9f430c196126c8d.exedescription pid process Token: SeDebugPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: 33 3264 ad6d18c89eef983fc9f430c196126c8d.exe Token: SeIncBasePriorityPrivilege 3264 ad6d18c89eef983fc9f430c196126c8d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ad6d18c89eef983fc9f430c196126c8d.exedescription pid process target process PID 3264 wrote to memory of 1828 3264 ad6d18c89eef983fc9f430c196126c8d.exe netsh.exe PID 3264 wrote to memory of 1828 3264 ad6d18c89eef983fc9f430c196126c8d.exe netsh.exe PID 3264 wrote to memory of 1828 3264 ad6d18c89eef983fc9f430c196126c8d.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad6d18c89eef983fc9f430c196126c8d.exe"C:\Users\Admin\AppData\Local\Temp\ad6d18c89eef983fc9f430c196126c8d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ad6d18c89eef983fc9f430c196126c8d.exe" "ad6d18c89eef983fc9f430c196126c8d.exe" ENABLE2⤵