Analysis
-
max time kernel
161s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 08:25
Behavioral task
behavioral1
Sample
4b4e6ce587df768d5f3530aa8c2a3a75.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4b4e6ce587df768d5f3530aa8c2a3a75.exe
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
4b4e6ce587df768d5f3530aa8c2a3a75.exe
-
Size
324KB
-
MD5
4b4e6ce587df768d5f3530aa8c2a3a75
-
SHA1
87169151f1c6b437966e5c54a683b3675d41af95
-
SHA256
dece4adf99e29edff4ef336fe6f7c40ffb90abd46514985ef86ef7c4fe5e94ed
-
SHA512
c060f9ce6594cfdd8043c16839bd6db65841b32288cffcec7fe21897611be76e0ae529d4668762478841d91ca6d4f74bbfbe109bb01ea3cfaaaeace1f47373db
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
4b4e6ce587df768d5f3530aa8c2a3a75.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe 4b4e6ce587df768d5f3530aa8c2a3a75.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe 4b4e6ce587df768d5f3530aa8c2a3a75.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4b4e6ce587df768d5f3530aa8c2a3a75.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b4e6ce587df768d5f3530aa8c2a3a75.exe\" .." 4b4e6ce587df768d5f3530aa8c2a3a75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b4e6ce587df768d5f3530aa8c2a3a75.exe\" .." 4b4e6ce587df768d5f3530aa8c2a3a75.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
4b4e6ce587df768d5f3530aa8c2a3a75.exedescription pid process Token: SeDebugPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: 33 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe Token: SeIncBasePriorityPrivilege 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4b4e6ce587df768d5f3530aa8c2a3a75.exedescription pid process target process PID 1672 wrote to memory of 1280 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe netsh.exe PID 1672 wrote to memory of 1280 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe netsh.exe PID 1672 wrote to memory of 1280 1672 4b4e6ce587df768d5f3530aa8c2a3a75.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b4e6ce587df768d5f3530aa8c2a3a75.exe"C:\Users\Admin\AppData\Local\Temp\4b4e6ce587df768d5f3530aa8c2a3a75.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4b4e6ce587df768d5f3530aa8c2a3a75.exe" "4b4e6ce587df768d5f3530aa8c2a3a75.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1280-58-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmpFilesize
8KB
-
memory/1672-56-0x0000000000B50000-0x0000000000B52000-memory.dmpFilesize
8KB
-
memory/1672-55-0x000007FEF5C5E000-0x000007FEF5C5F000-memory.dmpFilesize
4KB
-
memory/1672-57-0x000007FEF2BA0000-0x000007FEF3C36000-memory.dmpFilesize
16.6MB