Analysis
-
max time kernel
292s -
max time network
383s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
Resource
win7-20221111-en
3 signatures
150 seconds
General
-
Target
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe
-
Size
409KB
-
MD5
f6de96d41cc2a450e63cbbbc87b940c6
-
SHA1
330da7256bbb806cfbf4853448849c22424d9719
-
SHA256
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf
-
SHA512
8084b9cd8f7b65c8c464130d342097bd1bc313d702518aeb57a87dcd5a5de61164c1ebe53e84c537a32e00aa97e1f359ddffc0a5ba01854463c3a65667f7ad00
-
SSDEEP
12288:plgEN/GPqEDwnjf0W2rZo5bIxk6v8XGPgEc:cEN/GPqEDwnjf92rZo5bqfv4t
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exedescription pid process target process PID 4960 wrote to memory of 3896 4960 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe PID 4960 wrote to memory of 3896 4960 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe PID 4960 wrote to memory of 3896 4960 8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe"C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe" "8a637e0a8c13c762b8347387fab064d14dfaae22cae9b05faf74f36880a529bf.exe" ENABLE2⤵
- Modifies Windows Firewall