8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf

Analysis

max time kernel
246s
max time network
369s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Size

409KB
MD5

f6de96d41cc2a450e63cbbbc87b940c6
SHA1

330da7256bbb806cfbf4853448849c22424d9719
SHA256

8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf
SHA512

8084b9cd8f7b65c8c464130d342097bd1bc313d702518aeb57a87dcd5a5de61164c1ebe53e84c537a32e00aa97e1f359ddffc0a5ba01854463c3a65667f7ad00
SSDEEP

12288:plgEN/GPqEDwnjf0W2rZo5bIxk6v8XGPgEc:cEN/GPqEDwnjf92rZo5bqfv4t

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1548 netsh.exe

pid	process
1548	netsh.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe

description	pid	process
Token: SeDebugPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: 33	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Token: SeIncBasePriorityPrivilege	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe

description	pid	process	target process
PID 1532 wrote to memory of 1548	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe	netsh.exe
PID 1532 wrote to memory of 1548	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe	netsh.exe
PID 1532 wrote to memory of 1548	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe	netsh.exe
PID 1532 wrote to memory of 1548	1532	8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
"C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe" "8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/1532-55-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-56-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-57-0x0000000000000000-mapping.dmp

Download