Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 23:21
Behavioral task
behavioral1
Sample
0c4a0b73ab18048c669f89d54ef9951a.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c4a0b73ab18048c669f89d54ef9951a.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0c4a0b73ab18048c669f89d54ef9951a.exe
-
Size
36KB
-
MD5
0c4a0b73ab18048c669f89d54ef9951a
-
SHA1
9a8075230f8b0ca5f4137648d98d7425664e423a
-
SHA256
c6cded3064fbdc89fdf8f8393686caa9e988e109ddf105b9ec0a69b3ca69a29f
-
SHA512
b127ac85456e8519b5014ec5a34e5a961eff515afa28eead14048a143d302eb431eca6200d87fb31bb147f7977563f758fda9117e9de2a297dd3c5dfbda3341a
-
SSDEEP
384:bmOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3S:BFdGdkrgYRwWS9rM+rMRa8NukWt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
0c4a0b73ab18048c669f89d54ef9951a.exedescription pid process Token: SeDebugPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 1976 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 1976 0c4a0b73ab18048c669f89d54ef9951a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0c4a0b73ab18048c669f89d54ef9951a.exedescription pid process target process PID 1976 wrote to memory of 2000 1976 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe PID 1976 wrote to memory of 2000 1976 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe PID 1976 wrote to memory of 2000 1976 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe PID 1976 wrote to memory of 2000 1976 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe"C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe" "0c4a0b73ab18048c669f89d54ef9951a.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1976-55-0x0000000074B10000-0x00000000750BB000-memory.dmpFilesize
5.7MB
-
memory/1976-58-0x0000000074B10000-0x00000000750BB000-memory.dmpFilesize
5.7MB
-
memory/2000-56-0x0000000000000000-mapping.dmp