Analysis
-
max time kernel
246s -
max time network
369s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Resource
win7-20221111-en
3 signatures
150 seconds
General
-
Target
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
-
Size
409KB
-
MD5
f6de96d41cc2a450e63cbbbc87b940c6
-
SHA1
330da7256bbb806cfbf4853448849c22424d9719
-
SHA256
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf
-
SHA512
8084b9cd8f7b65c8c464130d342097bd1bc313d702518aeb57a87dcd5a5de61164c1ebe53e84c537a32e00aa97e1f359ddffc0a5ba01854463c3a65667f7ad00
-
SSDEEP
12288:plgEN/GPqEDwnjf0W2rZo5bIxk6v8XGPgEc:cEN/GPqEDwnjf92rZo5bqfv4t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exedescription pid process Token: SeDebugPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: 33 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe Token: SeIncBasePriorityPrivilege 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exedescription pid process target process PID 1532 wrote to memory of 1548 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe PID 1532 wrote to memory of 1548 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe PID 1532 wrote to memory of 1548 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe PID 1532 wrote to memory of 1548 1532 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe"C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe" "8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1532-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmpFilesize
8KB
-
memory/1532-55-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1532-56-0x0000000073F70000-0x000000007451B000-memory.dmpFilesize
5.7MB
-
memory/1548-57-0x0000000000000000-mapping.dmp