e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 00:33

Target

e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe
Size

243KB
MD5

6b695a7b241359cba5a4e94751902d90
SHA1

684bde72a7a20d6db8f7d81e6f6dadfd9b8a44ab
SHA256

e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df
SHA512

93e406ec9ba9d91f5878989d7973817b6eac75d0d13a80920e4fd9f669619ea4e54038970b30691ad049775f838b646915d84f3cab127d4cfcbe6a4cfdf0deba
SSDEEP

6144:GWzpIiSxD3vAJVbG+KxRTnGeM8GCsMbH6eKKN:XzCiOrIFbK3aerZjK

Score

8^/10

evasion

Executes dropped EXE 1 IoCs

Processes:

176.exe

pid process

1368 176.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4008 netsh.exe

pid	process
4008	netsh.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

176.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

176.exe

description pid process

Token: SeDebugPrivilege 1368 176.exe

description	pid	process
Token: SeDebugPrivilege	1368	176.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe176.exe

description	pid	process	target process
PID 4740 wrote to memory of 1368	4740	e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe	176.exe
PID 4740 wrote to memory of 1368	4740	e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe	176.exe
PID 1368 wrote to memory of 4008	1368	176.exe	netsh.exe
PID 1368 wrote to memory of 4008	1368	176.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe
"C:\Users\Admin\AppData\Local\Temp\e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\176.exe" "176.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4008

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\176.exe
Filesize
25KB

MD5
7aab149914450a3c3ea4c9a3f99ebb40

SHA1
fa8f8a70da5ad262681ebb281742ae1df3e3ce5e

SHA256
145b1c8660a52b6ae1a37bf489f1d388af9c3788caa352044149ccac0e08507a

SHA512
8bdf5aca54b92ca167c6a64f81a7489cb7330f32d7872ed624c7071570b6f5d9b25f21c36e970b88df3b9b539bf8aae4dc5dee2b852858ac95a7ad230b6b2f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\176.exe
Filesize
25KB

MD5
7aab149914450a3c3ea4c9a3f99ebb40

SHA1
fa8f8a70da5ad262681ebb281742ae1df3e3ce5e

SHA256
145b1c8660a52b6ae1a37bf489f1d388af9c3788caa352044149ccac0e08507a

SHA512
8bdf5aca54b92ca167c6a64f81a7489cb7330f32d7872ed624c7071570b6f5d9b25f21c36e970b88df3b9b539bf8aae4dc5dee2b852858ac95a7ad230b6b2f7f

Download Submit
memory/1368-134-0x0000000000000000-mapping.dmp

Download
memory/1368-137-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/1368-138-0x00007FFE99380000-0x00007FFE99E41000-memory.dmp

Filesize
10.8MB

Download
memory/1368-141-0x00007FFE99380000-0x00007FFE99E41000-memory.dmp

Filesize
10.8MB

Download
memory/4008-139-0x0000000000000000-mapping.dmp

Download
memory/4740-132-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/4740-133-0x00007FFE99380000-0x00007FFE99E41000-memory.dmp

Filesize
10.8MB

Download
memory/4740-140-0x00007FFE99380000-0x00007FFE99E41000-memory.dmp

Filesize
10.8MB

Download