Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
06-08-2022 16:26
Behavioral task
behavioral1
Sample
bDTb.exe
Resource
win7-20220718-en
3 signatures
150 seconds
General
-
Target
bDTb.exe
-
Size
36KB
-
MD5
f0e497ca736bc83a340b9f242ea3613c
-
SHA1
ff438abc6a2252d2e9ba29478425e081067e2353
-
SHA256
999fd9c215a2fdaf3bff8681d0c94d2d6411e63aca34680ef66bc84f0a29a27c
-
SHA512
6222582746e2cd1c0e39885fb1c8c201044a0e3cacb2022623b92fe856396d216c58bd4cb1ef72f4e046287ee62623fb0d01c34b06b756f04fa29075989394db
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
bDTb.exedescription pid process Token: SeDebugPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe Token: 33 1172 bDTb.exe Token: SeIncBasePriorityPrivilege 1172 bDTb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bDTb.exedescription pid process target process PID 1172 wrote to memory of 1608 1172 bDTb.exe netsh.exe PID 1172 wrote to memory of 1608 1172 bDTb.exe netsh.exe PID 1172 wrote to memory of 1608 1172 bDTb.exe netsh.exe PID 1172 wrote to memory of 1608 1172 bDTb.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bDTb.exe"C:\Users\Admin\AppData\Local\Temp\bDTb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bDTb.exe" "bDTb.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-54-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1172-55-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/1172-58-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/1608-56-0x0000000000000000-mapping.dmp