Analysis
-
max time kernel
158s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
01-08-2022 16:42
Behavioral task
behavioral1
Sample
5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Resource
win7-20220715-en
windows7-x64
3 signatures
150 seconds
General
-
Target
5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
-
Size
23KB
-
MD5
281562063dc32d2c9f03a564f585c733
-
SHA1
ab853a207275b81b3a1d8453138bf0d0e359c801
-
SHA256
5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552
-
SHA512
fe4a7f922e42532cb9af7e40db6a4a7c02e5f2aacde509a6172cc6d82c960ad378fa459261c4b4c00bbe7b99f4b0cf8c30b72d3be1e714d9ae20adee62cf034b
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exedescription pid process Token: SeDebugPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: 33 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe Token: SeIncBasePriorityPrivilege 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exedescription pid process target process PID 1524 wrote to memory of 900 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe netsh.exe PID 1524 wrote to memory of 900 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe netsh.exe PID 1524 wrote to memory of 900 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe netsh.exe PID 1524 wrote to memory of 900 1524 5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe"C:\Users\Admin\AppData\Local\Temp\5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe" "5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-57-0x0000000000000000-mapping.dmp
-
memory/1524-54-0x0000000076311000-0x0000000076313000-memory.dmpFilesize
8KB
-
memory/1524-55-0x0000000074CA0000-0x000000007524B000-memory.dmpFilesize
5.7MB
-
memory/1524-56-0x0000000074CA0000-0x000000007524B000-memory.dmpFilesize
5.7MB