b83fd7fa8ce7fcd989dec26c5fff0c5a56ae958d19964f991ad166d40d9c70fe

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f3f2f032b31e67ed1c10acfe279a759.exe
Size

37KB
MD5

1f3f2f032b31e67ed1c10acfe279a759
SHA1

65f9c5514e141aa69f72eada41721a033e43ba70
SHA256

b83fd7fa8ce7fcd989dec26c5fff0c5a56ae958d19964f991ad166d40d9c70fe
SHA512

e38f701b84b6e652ad4e0b372d01c1a079b35c8bad9c9e7b3cb0b9717571755cefd497ee4d4b5ad9c7eef4e4df539e729193384b5cffc880e11e3d2f26ab1595
SSDEEP

384:omOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3V:+FdGdkrgYRwWS9rM+rMRa8Nucft

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4984 netsh.exe

pid	process
4984	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

1f3f2f032b31e67ed1c10acfe279a759.exe

description	pid	process
Token: SeDebugPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: 33	2816	1f3f2f032b31e67ed1c10acfe279a759.exe
Token: SeIncBasePriorityPrivilege	2816	1f3f2f032b31e67ed1c10acfe279a759.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1f3f2f032b31e67ed1c10acfe279a759.exe

description	pid	process	target process
PID 2816 wrote to memory of 4984	2816	1f3f2f032b31e67ed1c10acfe279a759.exe	netsh.exe
PID 2816 wrote to memory of 4984	2816	1f3f2f032b31e67ed1c10acfe279a759.exe	netsh.exe
PID 2816 wrote to memory of 4984	2816	1f3f2f032b31e67ed1c10acfe279a759.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe
"C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe" "1f3f2f032b31e67ed1c10acfe279a759.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-132-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2816-134-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4984-133-0x0000000000000000-mapping.dmp

Download