Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    09-04-2022 07:34

General

  • Target

    b16fbd7f2bcb427d3473efce2bc72f3e.exe

  • Size

    32KB

  • MD5

    b16fbd7f2bcb427d3473efce2bc72f3e

  • SHA1

    e294c3914f0d5d07d869faad19809df322f0b589

  • SHA256

    b63198762408d6beff97af4132f085b3429e41bf7c00d7819e7361a7e987d3fa

  • SHA512

    26abd5ca8ad85f3a8e390dbc35e0b086c87fd872d22769f643fe49147b9691ca84fd367e9566c976aefd2d93f1e1249634015685b1f2951dc301597de81d1071

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b16fbd7f2bcb427d3473efce2bc72f3e.exe
    "C:\Users\Admin\AppData\Local\Temp\b16fbd7f2bcb427d3473efce2bc72f3e.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b16fbd7f2bcb427d3473efce2bc72f3e.exe" "b16fbd7f2bcb427d3473efce2bc72f3e.exe" ENABLE
      2⤵
        PID:1608

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1500-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
      Filesize

      8KB

    • memory/1500-55-0x0000000074A30000-0x0000000074FDB000-memory.dmp
      Filesize

      5.7MB

    • memory/1608-56-0x0000000000000000-mapping.dmp