Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-09-2022 04:08
Behavioral task
behavioral1
Sample
bEG2.exe
Resource
win7-20220901-en
windows7-x64
3 signatures
150 seconds
General
-
Target
bEG2.exe
-
Size
23KB
-
MD5
c84b5aa41ceb238a9b328e4521c2903d
-
SHA1
6f75576e35f98544a7b938015a74498700aaacef
-
SHA256
5ac858d76e8ff1f69dc3cc87f6fe63c705e73b91141468c2959aebaebeeeb5ed
-
SHA512
0be8b058c02fe9429d5a742c859d4bf6b8f0a3fa78916d4be505d20e1a9eeb2e0f58a6aa3f7ea7d5b103465e3bd061ae21a7b30f27a48bdccc5b7a4bce2107e2
-
SSDEEP
384:ZweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZTH:eLq411eRpcnuk
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
bEG2.exedescription pid process Token: SeDebugPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe Token: 33 1448 bEG2.exe Token: SeIncBasePriorityPrivilege 1448 bEG2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bEG2.exedescription pid process target process PID 1448 wrote to memory of 1128 1448 bEG2.exe netsh.exe PID 1448 wrote to memory of 1128 1448 bEG2.exe netsh.exe PID 1448 wrote to memory of 1128 1448 bEG2.exe netsh.exe PID 1448 wrote to memory of 1128 1448 bEG2.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bEG2.exe"C:\Users\Admin\AppData\Local\Temp\bEG2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEG2.exe" "bEG2.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1128-56-0x0000000000000000-mapping.dmp
-
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/1448-55-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/1448-58-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB