Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
28-07-2022 01:08
Behavioral task
behavioral1
Sample
bDJV.exe
Resource
win7-20220715-en
windows7-x64
3 signatures
150 seconds
General
-
Target
bDJV.exe
-
Size
23KB
-
MD5
495b1cad7d009024ca97d9d508f66e21
-
SHA1
0934b0aa893374169df0bf46edf03ee15239b8d6
-
SHA256
34a26cda7f0251648bbc5c791ff2e27eb66162463bdc73799a9afe05d53f7ae2
-
SHA512
b9d061b16f4178138af4e4a3f1930132bd256bbfc8ae4c2e2c039d7a2d2b229801cc3effd45c3fd5bf1300642d5839dae4c6f1405b06aa7c8adee32df0f621d4
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
bDJV.exedescription pid process Token: SeDebugPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe Token: 33 1976 bDJV.exe Token: SeIncBasePriorityPrivilege 1976 bDJV.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bDJV.exedescription pid process target process PID 1976 wrote to memory of 1724 1976 bDJV.exe netsh.exe PID 1976 wrote to memory of 1724 1976 bDJV.exe netsh.exe PID 1976 wrote to memory of 1724 1976 bDJV.exe netsh.exe PID 1976 wrote to memory of 1724 1976 bDJV.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bDJV.exe"C:\Users\Admin\AppData\Local\Temp\bDJV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bDJV.exe" "bDJV.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-56-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x0000000076901000-0x0000000076903000-memory.dmpFilesize
8KB
-
memory/1976-55-0x0000000074C20000-0x00000000751CB000-memory.dmpFilesize
5.7MB
-
memory/1976-58-0x0000000074C20000-0x00000000751CB000-memory.dmpFilesize
5.7MB