Analysis
-
max time kernel
188s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 07:14
Static task
static1
Behavioral task
behavioral1
Sample
49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe
-
Size
37KB
-
MD5
555c42a4d6cee75f5b74bb20ff6dc65c
-
SHA1
9b5856345e889808b23bb4e1408684d7082c7b08
-
SHA256
49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190
-
SHA512
995de3f70a892312b0c50d219e9c40e508811be5e486d8c71e075197d2e070bf31acc66baa07d392db0fed9c8bf185e88b9dc8a277deadbadbc7df12ff9f044d
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exedescription pid process Token: SeDebugPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: 33 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe Token: SeIncBasePriorityPrivilege 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exedescription pid process target process PID 972 wrote to memory of 2016 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe netsh.exe PID 972 wrote to memory of 2016 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe netsh.exe PID 972 wrote to memory of 2016 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe netsh.exe PID 972 wrote to memory of 2016 972 49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe"C:\Users\Admin\AppData\Local\Temp\49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe" "49c0e3bbb59d81bad201d19c17c77a77f12253be70782b409d57cd2c4df7d190.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/972-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/972-55-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/972-58-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/2016-56-0x0000000000000000-mapping.dmp