e9f4c7190ff6c34f036720e246c62e26688f13ed3553f50a17d180a576dbf341

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-08-2022 17:08

Target

bElw.exe
Size

23KB
MD5

7a4e65e91ae78468194bad4f8f2bc0f3
SHA1

35d151673768d4b8c6c54dafe93db450a546b56d
SHA256

e9f4c7190ff6c34f036720e246c62e26688f13ed3553f50a17d180a576dbf341
SHA512

b9e8d9899c6ba752473ffad41f21dbe60c4f7feec7c028725088a27570474b9486410e221cc58562ce6db9abe64fd95871e2237b8a82b1ecc6fd739d57042bda

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2024 netsh.exe

pid	process
2024	netsh.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

bElw.exe

description	pid	process
Token: SeDebugPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe
Token: 33	1948	bElw.exe
Token: SeIncBasePriorityPrivilege	1948	bElw.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bElw.exe

description	pid	process	target process
PID 1948 wrote to memory of 2024	1948	bElw.exe	netsh.exe
PID 1948 wrote to memory of 2024	1948	bElw.exe	netsh.exe
PID 1948 wrote to memory of 2024	1948	bElw.exe	netsh.exe
PID 1948 wrote to memory of 2024	1948	bElw.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bElw.exe" "bElw.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2024

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1948-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1948-55-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-58-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download