Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:03
Behavioral task
behavioral1
Sample
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe
-
Size
53KB
-
MD5
9f68e8d3d56e207be9f3814f5f084cd3
-
SHA1
d4fb2293908d00b17c232d614e6e3a9fcb217bf8
-
SHA256
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13
-
SHA512
80b45935c4de14c57035caf9d401671c318b07229ed74fb0cd96500cbff4073b4d218d3d425d1ce65b3f6b8fdeb9fda0b343572e67971ae3f8a54d942060b35e
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb4e9f3d65482a77bc0d3a7471027899.exe c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb4e9f3d65482a77bc0d3a7471027899.exe c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exedescription pid process Token: SeDebugPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: 33 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe Token: SeIncBasePriorityPrivilege 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exedescription pid process target process PID 3428 wrote to memory of 4936 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe netsh.exe PID 3428 wrote to memory of 4936 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe netsh.exe PID 3428 wrote to memory of 4936 3428 c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe"C:\Users\Admin\AppData\Local\Temp\c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe" "c92662ee291050ca3538a617f892ca5e8f54fa781f9e3f56aac85c49d77e2f13.exe" ENABLE2⤵