Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-12-2021 00:26
Behavioral task
behavioral1
Sample
a8dc753c688c6575161f62092cd2007d.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a8dc753c688c6575161f62092cd2007d.exe
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
a8dc753c688c6575161f62092cd2007d.exe
-
Size
37KB
-
MD5
a8dc753c688c6575161f62092cd2007d
-
SHA1
c1edb2b7b8aadddca630085dc8e2ba4d0392ee53
-
SHA256
dbc86d106d7e6993024eca3c621bd7dd84ea578903fd11a62ed3af896ef78470
-
SHA512
84da0b51aecf8743839f6dceafcdadc1491cb84b7949862c0b079a3f98c8c6d983bc15e045e48476b05f3c05abf149e921faccdbbdb56f406f2d3223ab9f66ea
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a8dc753c688c6575161f62092cd2007d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\46bf89ad0102831dcc1dc39e90f31001 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a8dc753c688c6575161f62092cd2007d.exe\" .." a8dc753c688c6575161f62092cd2007d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\46bf89ad0102831dcc1dc39e90f31001 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a8dc753c688c6575161f62092cd2007d.exe\" .." a8dc753c688c6575161f62092cd2007d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8dc753c688c6575161f62092cd2007d.exepid process 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe 2560 a8dc753c688c6575161f62092cd2007d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a8dc753c688c6575161f62092cd2007d.exepid process 2560 a8dc753c688c6575161f62092cd2007d.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
a8dc753c688c6575161f62092cd2007d.exedescription pid process Token: SeDebugPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe Token: 33 2560 a8dc753c688c6575161f62092cd2007d.exe Token: SeIncBasePriorityPrivilege 2560 a8dc753c688c6575161f62092cd2007d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a8dc753c688c6575161f62092cd2007d.exedescription pid process target process PID 2560 wrote to memory of 3868 2560 a8dc753c688c6575161f62092cd2007d.exe netsh.exe PID 2560 wrote to memory of 3868 2560 a8dc753c688c6575161f62092cd2007d.exe netsh.exe PID 2560 wrote to memory of 3868 2560 a8dc753c688c6575161f62092cd2007d.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8dc753c688c6575161f62092cd2007d.exe"C:\Users\Admin\AppData\Local\Temp\a8dc753c688c6575161f62092cd2007d.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a8dc753c688c6575161f62092cd2007d.exe" "a8dc753c688c6575161f62092cd2007d.exe" ENABLE2⤵