Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-12-2021 23:22
Behavioral task
behavioral1
Sample
b598b0ecf0848c10ca61aa23c93ed5f9.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b598b0ecf0848c10ca61aa23c93ed5f9.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
b598b0ecf0848c10ca61aa23c93ed5f9.exe
-
Size
91KB
-
MD5
b598b0ecf0848c10ca61aa23c93ed5f9
-
SHA1
3dd842fb3ab58046de7f4d4c2f0d28b4404a1c57
-
SHA256
6000cb4765d6219aeea0210a1ecec6af293e3ee6e330f560e30c043987f5aeb7
-
SHA512
9aec32b1c79788eee9bf6fd20122603dab131e0c3d5e209e1502583d65a44e012765158ee3f25a07d44b92cc9872dd0af2d92c0dedd058e587f530f47fa0493d
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe b598b0ecf0848c10ca61aa23c93ed5f9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe b598b0ecf0848c10ca61aa23c93ed5f9.exe -
Drops file in System32 directory 2 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe b598b0ecf0848c10ca61aa23c93ed5f9.exe File opened for modification C:\Windows\SysWOW64\Explower.exe b598b0ecf0848c10ca61aa23c93ed5f9.exe -
Drops file in Program Files directory 2 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exedescription ioc process File created C:\Program Files (x86)\Explower.exe b598b0ecf0848c10ca61aa23c93ed5f9.exe File opened for modification C:\Program Files (x86)\Explower.exe b598b0ecf0848c10ca61aa23c93ed5f9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exepid process 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exepid process 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exedescription pid process Token: SeDebugPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: 33 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe Token: SeIncBasePriorityPrivilege 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b598b0ecf0848c10ca61aa23c93ed5f9.exedescription pid process target process PID 3900 wrote to memory of 1796 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 1796 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 1796 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 3176 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 3176 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 3176 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 4020 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 4020 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe PID 3900 wrote to memory of 4020 3900 b598b0ecf0848c10ca61aa23c93ed5f9.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe" "b598b0ecf0848c10ca61aa23c93ed5f9.exe" ENABLE2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe" "b598b0ecf0848c10ca61aa23c93ed5f9.exe" ENABLE2⤵