c6cded3064fbdc89fdf8f8393686caa9e988e109ddf105b9ec0a69b3ca69a29f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 23:21

Target

0c4a0b73ab18048c669f89d54ef9951a.exe
Size

36KB
MD5

0c4a0b73ab18048c669f89d54ef9951a
SHA1

9a8075230f8b0ca5f4137648d98d7425664e423a
SHA256

c6cded3064fbdc89fdf8f8393686caa9e988e109ddf105b9ec0a69b3ca69a29f
SHA512

b127ac85456e8519b5014ec5a34e5a961eff515afa28eead14048a143d302eb431eca6200d87fb31bb147f7977563f758fda9117e9de2a297dd3c5dfbda3341a
SSDEEP

384:bmOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3S:BFdGdkrgYRwWS9rM+rMRa8NukWt

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2000 netsh.exe

pid	process
2000	netsh.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

0c4a0b73ab18048c669f89d54ef9951a.exe

description	pid	process
Token: SeDebugPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	1976	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	1976	0c4a0b73ab18048c669f89d54ef9951a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0c4a0b73ab18048c669f89d54ef9951a.exe

description	pid	process	target process
PID 1976 wrote to memory of 2000	1976	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe
PID 1976 wrote to memory of 2000	1976	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe
PID 1976 wrote to memory of 2000	1976	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe
PID 1976 wrote to memory of 2000	1976	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe" "0c4a0b73ab18048c669f89d54ef9951a.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2000

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-58-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-56-0x0000000000000000-mapping.dmp

Download