Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2022 08:08
Behavioral task
behavioral1
Sample
bEhn.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
bEhn.exe
-
Size
23KB
-
MD5
dffbd7034e49e8af1ffb55f1eb2a7401
-
SHA1
cb837595a4a74742e3c92b2c83cd04e4b8fc1992
-
SHA256
7cc7e1f381c7ba108efde283d52ad7955e583e6f9192cf46a593a4a36e6250ef
-
SHA512
4fb4fde9cd93d60ac321b613483b0eb7cdd69043282bb0d8829241a894c10a5eac96699ff353d9bed5605bd0705d7f0511a3df14f499b000c1b870ad6cd06792
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
bEhn.exedescription pid process Token: SeDebugPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe Token: 33 4440 bEhn.exe Token: SeIncBasePriorityPrivilege 4440 bEhn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bEhn.exedescription pid process target process PID 4440 wrote to memory of 448 4440 bEhn.exe netsh.exe PID 4440 wrote to memory of 448 4440 bEhn.exe netsh.exe PID 4440 wrote to memory of 448 4440 bEhn.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bEhn.exe"C:\Users\Admin\AppData\Local\Temp\bEhn.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEhn.exe" "bEhn.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:448