Analysis
-
max time kernel
207s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 23:21
Behavioral task
behavioral1
Sample
0c4a0b73ab18048c669f89d54ef9951a.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c4a0b73ab18048c669f89d54ef9951a.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0c4a0b73ab18048c669f89d54ef9951a.exe
-
Size
36KB
-
MD5
0c4a0b73ab18048c669f89d54ef9951a
-
SHA1
9a8075230f8b0ca5f4137648d98d7425664e423a
-
SHA256
c6cded3064fbdc89fdf8f8393686caa9e988e109ddf105b9ec0a69b3ca69a29f
-
SHA512
b127ac85456e8519b5014ec5a34e5a961eff515afa28eead14048a143d302eb431eca6200d87fb31bb147f7977563f758fda9117e9de2a297dd3c5dfbda3341a
-
SSDEEP
384:bmOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3S:BFdGdkrgYRwWS9rM+rMRa8NukWt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
0c4a0b73ab18048c669f89d54ef9951a.exedescription pid process Token: SeDebugPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: 33 4524 0c4a0b73ab18048c669f89d54ef9951a.exe Token: SeIncBasePriorityPrivilege 4524 0c4a0b73ab18048c669f89d54ef9951a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0c4a0b73ab18048c669f89d54ef9951a.exedescription pid process target process PID 4524 wrote to memory of 4604 4524 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe PID 4524 wrote to memory of 4604 4524 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe PID 4524 wrote to memory of 4604 4524 0c4a0b73ab18048c669f89d54ef9951a.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe"C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0c4a0b73ab18048c669f89d54ef9951a.exe" "0c4a0b73ab18048c669f89d54ef9951a.exe" ENABLE2⤵
- Modifies Windows Firewall