Analysis

  • max time kernel
    136s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 15:54

General

  • Target

    2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe

  • Size

    301KB

  • MD5

    5e04a9f2d48e007fc7ee5e06fb7a3613

  • SHA1

    e3123b48a526b357d773b606916eaeedaf7ee437

  • SHA256

    2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666

  • SHA512

    0bfb8f050727c5a651a56b7dc6131412dc940252aa115c9adc6ee9462a5ef9e8acdb03617b0d6110d6fe6fcda5214310f9f496d8f78821455e2f457a80a5af14

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe
    "C:\Users\Admin\AppData\Local\Temp\2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe" "2bf0f638224e306a99420932175be8bcd8ac26311a964d65c385cc7915689666.exe" ENABLE
      2⤵
        PID:1732

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1516-54-0x000007FEF27F0000-0x000007FEF3886000-memory.dmp
      Filesize

      16.6MB

    • memory/1732-55-0x0000000000000000-mapping.dmp
    • memory/1732-56-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
      Filesize

      8KB