Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-08-2022 17:08
Behavioral task
behavioral1
Sample
bElw.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
bElw.exe
-
Size
23KB
-
MD5
7a4e65e91ae78468194bad4f8f2bc0f3
-
SHA1
35d151673768d4b8c6c54dafe93db450a546b56d
-
SHA256
e9f4c7190ff6c34f036720e246c62e26688f13ed3553f50a17d180a576dbf341
-
SHA512
b9e8d9899c6ba752473ffad41f21dbe60c4f7feec7c028725088a27570474b9486410e221cc58562ce6db9abe64fd95871e2237b8a82b1ecc6fd739d57042bda
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
bElw.exedescription pid process Token: SeDebugPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe Token: 33 1948 bElw.exe Token: SeIncBasePriorityPrivilege 1948 bElw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bElw.exedescription pid process target process PID 1948 wrote to memory of 2024 1948 bElw.exe netsh.exe PID 1948 wrote to memory of 2024 1948 bElw.exe netsh.exe PID 1948 wrote to memory of 2024 1948 bElw.exe netsh.exe PID 1948 wrote to memory of 2024 1948 bElw.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bElw.exe"C:\Users\Admin\AppData\Local\Temp\bElw.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bElw.exe" "bElw.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1948-54-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB
-
memory/1948-55-0x0000000074360000-0x000000007490B000-memory.dmpFilesize
5.7MB
-
memory/1948-58-0x0000000074360000-0x000000007490B000-memory.dmpFilesize
5.7MB
-
memory/2024-56-0x0000000000000000-mapping.dmp