c6cded3064fbdc89fdf8f8393686caa9e988e109ddf105b9ec0a69b3ca69a29f

Analysis

max time kernel
207s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c4a0b73ab18048c669f89d54ef9951a.exe
Size

36KB
MD5

0c4a0b73ab18048c669f89d54ef9951a
SHA1

9a8075230f8b0ca5f4137648d98d7425664e423a
SHA256

c6cded3064fbdc89fdf8f8393686caa9e988e109ddf105b9ec0a69b3ca69a29f
SHA512

b127ac85456e8519b5014ec5a34e5a961eff515afa28eead14048a143d302eb431eca6200d87fb31bb147f7977563f758fda9117e9de2a297dd3c5dfbda3341a
SSDEEP

384:bmOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3S:BFdGdkrgYRwWS9rM+rMRa8NukWt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4604 netsh.exe

pid	process
4604	netsh.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

0c4a0b73ab18048c669f89d54ef9951a.exe

description	pid	process
Token: SeDebugPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: 33	4524	0c4a0b73ab18048c669f89d54ef9951a.exe
Token: SeIncBasePriorityPrivilege	4524	0c4a0b73ab18048c669f89d54ef9951a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0c4a0b73ab18048c669f89d54ef9951a.exe

description	pid	process	target process
PID 4524 wrote to memory of 4604	4524	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe
PID 4524 wrote to memory of 4604	4524	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe
PID 4524 wrote to memory of 4604	4524	0c4a0b73ab18048c669f89d54ef9951a.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe
"C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe" "0c4a0b73ab18048c669f89d54ef9951a.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4524-133-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4524-134-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4604-135-0x0000000000000000-mapping.dmp

Download