3bcac9666c13e12dc163e6f9e071bd613f052f1c1bbd283eec6f54e27f722c9e

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2023, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d74fc7b25971340e54688ca3f05ebff.exe
Size

93KB
MD5

2d74fc7b25971340e54688ca3f05ebff
SHA1

80a4cad74c96133ac0f4fcbaf9c0f45bde6401c7
SHA256

3bcac9666c13e12dc163e6f9e071bd613f052f1c1bbd283eec6f54e27f722c9e
SHA512

a4a7487cebd10a1a4038ac4d19f643aedbeca90331550e2c66d1148826579cdf0f9d19b8fe3c0c2e23b5f349e736a4b90dc1d04b5f7abcb4155ae17a148f2b82
SSDEEP

768:oY3fCpD9O/pBcxYsbae6GIXb9pDX2b98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk35sGn:PCLOx6baIa9RPj00ljEwzGi1dDpDLgS

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4472	netsh.exe
4112	netsh.exe
1152	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe
4972	2d74fc7b25971340e54688ca3f05ebff.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4972	2d74fc7b25971340e54688ca3f05ebff.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: 33	4972	2d74fc7b25971340e54688ca3f05ebff.exe
Token: SeIncBasePriorityPrivilege	4972	2d74fc7b25971340e54688ca3f05ebff.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4112	4972	2d74fc7b25971340e54688ca3f05ebff.exe	82
PID 4972 wrote to memory of 4112	4972	2d74fc7b25971340e54688ca3f05ebff.exe	82
PID 4972 wrote to memory of 4112	4972	2d74fc7b25971340e54688ca3f05ebff.exe	82
PID 4972 wrote to memory of 1152	4972	2d74fc7b25971340e54688ca3f05ebff.exe	84
PID 4972 wrote to memory of 1152	4972	2d74fc7b25971340e54688ca3f05ebff.exe	84
PID 4972 wrote to memory of 1152	4972	2d74fc7b25971340e54688ca3f05ebff.exe	84
PID 4972 wrote to memory of 4472	4972	2d74fc7b25971340e54688ca3f05ebff.exe	87
PID 4972 wrote to memory of 4472	4972	2d74fc7b25971340e54688ca3f05ebff.exe	87
PID 4972 wrote to memory of 4472	4972	2d74fc7b25971340e54688ca3f05ebff.exe	87

C:\Users\Admin\AppData\Local\Temp\2d74fc7b25971340e54688ca3f05ebff.exe
"C:\Users\Admin\AppData\Local\Temp\2d74fc7b25971340e54688ca3f05ebff.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2d74fc7b25971340e54688ca3f05ebff.exe" "2d74fc7b25971340e54688ca3f05ebff.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4112
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\2d74fc7b25971340e54688ca3f05ebff.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1152
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\2d74fc7b25971340e54688ca3f05ebff.exe" "2d74fc7b25971340e54688ca3f05ebff.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4972-132-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4972-136-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download