Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe
-
Size
32KB
-
MD5
dfa1067abe58675b9a275e8a6c544003
-
SHA1
89e61e3bc4c575fdbe74c3d68669fae202b116c0
-
SHA256
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014
-
SHA512
7edb9ace2d4107516e00caaf7560db356844996b637923c4f73422b6639e63585568b2aca2fc107395016700f2888d01cbda2e406c2affdbd7f8bb51e3aac31e
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e06e38b7a8e256877bbd3afd7ba58dbe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe\" .." 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\e06e38b7a8e256877bbd3afd7ba58dbe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe\" .." 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exedescription pid process Token: SeDebugPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: 33 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe Token: SeIncBasePriorityPrivilege 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exedescription pid process target process PID 756 wrote to memory of 1200 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe netsh.exe PID 756 wrote to memory of 1200 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe netsh.exe PID 756 wrote to memory of 1200 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe netsh.exe PID 756 wrote to memory of 1200 756 4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe"C:\Users\Admin\AppData\Local\Temp\4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe" "4324befcb3dccac5407342ac0227728cac8c157d1a8d9d4f58aa06772d263014.exe" ENABLE2⤵