5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552

Analysis

max time kernel
158s
max time network
88s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
01-08-2022 16:42

Target

5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Size

23KB
MD5

281562063dc32d2c9f03a564f585c733
SHA1

ab853a207275b81b3a1d8453138bf0d0e359c801
SHA256

5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552
SHA512

fe4a7f922e42532cb9af7e40db6a4a7c02e5f2aacde509a6172cc6d82c960ad378fa459261c4b4c00bbe7b99f4b0cf8c30b72d3be1e714d9ae20adee62cf034b

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

900 netsh.exe

pid	process
900	netsh.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe

description	pid	process
Token: SeDebugPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: 33	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe
Token: SeIncBasePriorityPrivilege	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe

description	pid	process	target process
PID 1524 wrote to memory of 900	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe	netsh.exe
PID 1524 wrote to memory of 900	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe	netsh.exe
PID 1524 wrote to memory of 900	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe	netsh.exe
PID 1524 wrote to memory of 900	1524	5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe" "5bc7794339b1b71367bdd209a859d296de5929254cb7e3dad8526e8a5eed4552.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:900

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/900-57-0x0000000000000000-mapping.dmp

Download
memory/1524-54-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1524-55-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-56-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download