5ac858d76e8ff1f69dc3cc87f6fe63c705e73b91141468c2959aebaebeeeb5ed

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-09-2022 04:08

Target

bEG2.exe
Size

23KB
MD5

c84b5aa41ceb238a9b328e4521c2903d
SHA1

6f75576e35f98544a7b938015a74498700aaacef
SHA256

5ac858d76e8ff1f69dc3cc87f6fe63c705e73b91141468c2959aebaebeeeb5ed
SHA512

0be8b058c02fe9429d5a742c859d4bf6b8f0a3fa78916d4be505d20e1a9eeb2e0f58a6aa3f7ea7d5b103465e3bd061ae21a7b30f27a48bdccc5b7a4bce2107e2
SSDEEP

384:ZweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZTH:eLq411eRpcnuk

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1128 netsh.exe

pid	process
1128	netsh.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

bEG2.exe

description	pid	process
Token: SeDebugPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe
Token: 33	1448	bEG2.exe
Token: SeIncBasePriorityPrivilege	1448	bEG2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bEG2.exe

description	pid	process	target process
PID 1448 wrote to memory of 1128	1448	bEG2.exe	netsh.exe
PID 1448 wrote to memory of 1128	1448	bEG2.exe	netsh.exe
PID 1448 wrote to memory of 1128	1448	bEG2.exe	netsh.exe
PID 1448 wrote to memory of 1128	1448	bEG2.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEG2.exe" "bEG2.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1128

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1128-56-0x0000000000000000-mapping.dmp

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-55-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-58-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download