Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 23:46
Behavioral task
behavioral1
Sample
1f3f2f032b31e67ed1c10acfe279a759.exe
Resource
win7-20220901-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f3f2f032b31e67ed1c10acfe279a759.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
1f3f2f032b31e67ed1c10acfe279a759.exe
-
Size
37KB
-
MD5
1f3f2f032b31e67ed1c10acfe279a759
-
SHA1
65f9c5514e141aa69f72eada41721a033e43ba70
-
SHA256
b83fd7fa8ce7fcd989dec26c5fff0c5a56ae958d19964f991ad166d40d9c70fe
-
SHA512
e38f701b84b6e652ad4e0b372d01c1a079b35c8bad9c9e7b3cb0b9717571755cefd497ee4d4b5ad9c7eef4e4df539e729193384b5cffc880e11e3d2f26ab1595
-
SSDEEP
384:omOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3V:+FdGdkrgYRwWS9rM+rMRa8Nucft
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
1f3f2f032b31e67ed1c10acfe279a759.exedescription pid process Token: SeDebugPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: 33 2816 1f3f2f032b31e67ed1c10acfe279a759.exe Token: SeIncBasePriorityPrivilege 2816 1f3f2f032b31e67ed1c10acfe279a759.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1f3f2f032b31e67ed1c10acfe279a759.exedescription pid process target process PID 2816 wrote to memory of 4984 2816 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe PID 2816 wrote to memory of 4984 2816 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe PID 2816 wrote to memory of 4984 2816 1f3f2f032b31e67ed1c10acfe279a759.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe"C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1f3f2f032b31e67ed1c10acfe279a759.exe" "1f3f2f032b31e67ed1c10acfe279a759.exe" ENABLE2⤵
- Modifies Windows Firewall