34a26cda7f0251648bbc5c791ff2e27eb66162463bdc73799a9afe05d53f7ae2

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
28-07-2022 01:08

Target

bDJV.exe
Size

23KB
MD5

495b1cad7d009024ca97d9d508f66e21
SHA1

0934b0aa893374169df0bf46edf03ee15239b8d6
SHA256

34a26cda7f0251648bbc5c791ff2e27eb66162463bdc73799a9afe05d53f7ae2
SHA512

b9d061b16f4178138af4e4a3f1930132bd256bbfc8ae4c2e2c039d7a2d2b229801cc3effd45c3fd5bf1300642d5839dae4c6f1405b06aa7c8adee32df0f621d4

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1724 netsh.exe

pid	process
1724	netsh.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

bDJV.exe

description	pid	process
Token: SeDebugPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe
Token: 33	1976	bDJV.exe
Token: SeIncBasePriorityPrivilege	1976	bDJV.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bDJV.exe

description	pid	process	target process
PID 1976 wrote to memory of 1724	1976	bDJV.exe	netsh.exe
PID 1976 wrote to memory of 1724	1976	bDJV.exe	netsh.exe
PID 1976 wrote to memory of 1724	1976	bDJV.exe	netsh.exe
PID 1976 wrote to memory of 1724	1976	bDJV.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bDJV.exe" "bDJV.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1724

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1724-56-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000076901000-0x0000000076903000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-58-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download