Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 23:46
Behavioral task
behavioral1
Sample
1f3f2f032b31e67ed1c10acfe279a759.exe
Resource
win7-20220901-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f3f2f032b31e67ed1c10acfe279a759.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
1f3f2f032b31e67ed1c10acfe279a759.exe
-
Size
37KB
-
MD5
1f3f2f032b31e67ed1c10acfe279a759
-
SHA1
65f9c5514e141aa69f72eada41721a033e43ba70
-
SHA256
b83fd7fa8ce7fcd989dec26c5fff0c5a56ae958d19964f991ad166d40d9c70fe
-
SHA512
e38f701b84b6e652ad4e0b372d01c1a079b35c8bad9c9e7b3cb0b9717571755cefd497ee4d4b5ad9c7eef4e4df539e729193384b5cffc880e11e3d2f26ab1595
-
SSDEEP
384:omOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3V:+FdGdkrgYRwWS9rM+rMRa8Nucft
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
1f3f2f032b31e67ed1c10acfe279a759.exedescription pid process Token: SeDebugPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 1752 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 1752 1f3f2f032b31e67ed1c10acfe279a759.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1f3f2f032b31e67ed1c10acfe279a759.exedescription pid process target process PID 1752 wrote to memory of 1552 1752 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe PID 1752 wrote to memory of 1552 1752 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe PID 1752 wrote to memory of 1552 1752 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe PID 1752 wrote to memory of 1552 1752 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe"C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe" "1f3f2f032b31e67ed1c10acfe279a759.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1552-56-0x0000000000000000-mapping.dmp
-
memory/1752-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1752-55-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1752-58-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB