Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2022 17:08
Behavioral task
behavioral1
Sample
bElw.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
bElw.exe
-
Size
23KB
-
MD5
7a4e65e91ae78468194bad4f8f2bc0f3
-
SHA1
35d151673768d4b8c6c54dafe93db450a546b56d
-
SHA256
e9f4c7190ff6c34f036720e246c62e26688f13ed3553f50a17d180a576dbf341
-
SHA512
b9e8d9899c6ba752473ffad41f21dbe60c4f7feec7c028725088a27570474b9486410e221cc58562ce6db9abe64fd95871e2237b8a82b1ecc6fd739d57042bda
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
bElw.exedescription pid process Token: SeDebugPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe Token: 33 2668 bElw.exe Token: SeIncBasePriorityPrivilege 2668 bElw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bElw.exedescription pid process target process PID 2668 wrote to memory of 4920 2668 bElw.exe netsh.exe PID 2668 wrote to memory of 4920 2668 bElw.exe netsh.exe PID 2668 wrote to memory of 4920 2668 bElw.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bElw.exe"C:\Users\Admin\AppData\Local\Temp\bElw.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bElw.exe" "bElw.exe" ENABLE2⤵
- Modifies Windows Firewall