Analysis
-
max time kernel
186s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2022 00:12
Behavioral task
behavioral1
Sample
121e18b2c5111707637ef2896cfb566c.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
121e18b2c5111707637ef2896cfb566c.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
121e18b2c5111707637ef2896cfb566c.exe
-
Size
37KB
-
MD5
121e18b2c5111707637ef2896cfb566c
-
SHA1
4f7f131ba7dc7e6bfe98c092b95fe891e50b0105
-
SHA256
52f4937c80ab5e677ef2a0a169632067a74f8b9eef4f4994e9f5a9f5e36c2b56
-
SHA512
7035f403662c6f01a4f1475c929888aff82650e2328ce45cd916dbfef7b53542ca5b402f20e189f8afb9f7e8619c21d2dfe7b173872da6965bc7dea86ebfc616
-
SSDEEP
384:u8Os0IiejvCVLO309QmykrtG+dA+VfwvOSifrAF+rMRTyN/0L+EcoinblneHQM3T:GFdGdkrgYRwWS0rM+rMRa8NuHYt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c60029bc13b6f6bd71b31a478dff99d5.exe 121e18b2c5111707637ef2896cfb566c.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c60029bc13b6f6bd71b31a478dff99d5.exe 121e18b2c5111707637ef2896cfb566c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c60029bc13b6f6bd71b31a478dff99d5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\121e18b2c5111707637ef2896cfb566c.exe\" .." 121e18b2c5111707637ef2896cfb566c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c60029bc13b6f6bd71b31a478dff99d5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\121e18b2c5111707637ef2896cfb566c.exe\" .." 121e18b2c5111707637ef2896cfb566c.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription pid process Token: SeDebugPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe Token: 33 3120 121e18b2c5111707637ef2896cfb566c.exe Token: SeIncBasePriorityPrivilege 3120 121e18b2c5111707637ef2896cfb566c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
121e18b2c5111707637ef2896cfb566c.exedescription pid process target process PID 3120 wrote to memory of 5060 3120 121e18b2c5111707637ef2896cfb566c.exe netsh.exe PID 3120 wrote to memory of 5060 3120 121e18b2c5111707637ef2896cfb566c.exe netsh.exe PID 3120 wrote to memory of 5060 3120 121e18b2c5111707637ef2896cfb566c.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe"C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\121e18b2c5111707637ef2896cfb566c.exe" "121e18b2c5111707637ef2896cfb566c.exe" ENABLE2⤵
- Modifies Windows Firewall