Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15-08-2022 02:08
Behavioral task
behavioral1
Sample
bEiR.exe
Resource
win7-20220812-en
3 signatures
150 seconds
General
-
Target
bEiR.exe
-
Size
23KB
-
MD5
b4355ec0815354965333f61ef03df0b4
-
SHA1
a7ec0778d34b932de187d90c92e3af10b31088a2
-
SHA256
b5a11b8a198e261609192e65ad1ef746cd2a87b1b94d99d6fb562c2437471303
-
SHA512
6e43e7a33fb0e16999d48938fbc229cfc7367570f391a876be0df07df16f1038e118c59b7b68a767fb8bf9086dd1d620dca58e0b23e221842909f671ac047c99
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
bEiR.exedescription pid process Token: SeDebugPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe Token: 33 1916 bEiR.exe Token: SeIncBasePriorityPrivilege 1916 bEiR.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bEiR.exedescription pid process target process PID 1916 wrote to memory of 1636 1916 bEiR.exe netsh.exe PID 1916 wrote to memory of 1636 1916 bEiR.exe netsh.exe PID 1916 wrote to memory of 1636 1916 bEiR.exe netsh.exe PID 1916 wrote to memory of 1636 1916 bEiR.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bEiR.exe"C:\Users\Admin\AppData\Local\Temp\bEiR.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEiR.exe" "bEiR.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-56-0x0000000000000000-mapping.dmp
-
memory/1916-54-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1916-55-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1916-58-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB