Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2022 02:08
Behavioral task
behavioral1
Sample
bEiR.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
bEiR.exe
-
Size
23KB
-
MD5
b4355ec0815354965333f61ef03df0b4
-
SHA1
a7ec0778d34b932de187d90c92e3af10b31088a2
-
SHA256
b5a11b8a198e261609192e65ad1ef746cd2a87b1b94d99d6fb562c2437471303
-
SHA512
6e43e7a33fb0e16999d48938fbc229cfc7367570f391a876be0df07df16f1038e118c59b7b68a767fb8bf9086dd1d620dca58e0b23e221842909f671ac047c99
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
bEiR.exedescription pid process Token: SeDebugPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe Token: 33 3516 bEiR.exe Token: SeIncBasePriorityPrivilege 3516 bEiR.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bEiR.exedescription pid process target process PID 3516 wrote to memory of 4588 3516 bEiR.exe netsh.exe PID 3516 wrote to memory of 4588 3516 bEiR.exe netsh.exe PID 3516 wrote to memory of 4588 3516 bEiR.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bEiR.exe"C:\Users\Admin\AppData\Local\Temp\bEiR.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEiR.exe" "bEiR.exe" ENABLE2⤵
- Modifies Windows Firewall