Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 04:08
Behavioral task
behavioral1
Sample
bK7G.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
General
-
Target
bK7G.exe
-
Size
23KB
-
MD5
227368ebab549d28b20ce786f72320c7
-
SHA1
50f7d115ef22a2ea3d906af5e675f416ee78b5b8
-
SHA256
8c402138d923ed8e4403dd04010eaa9c593f42fc02c5fa349774c44d8dda006e
-
SHA512
9fd1d82ba2c09c23280ab00cf99790d2c66d1c4e1ebed32b6e8f5ab5f27814d95c800b18da216656b536f3f0cb1c069a29ada8ec46c6a8805e9dc2a630651f39
-
SSDEEP
384:0oWtkEwn65rgjAsGipk58D16xgXakhbZD0mRvR6JZlbw8hqIusZzZMQ:j7O89pbrRpcnui
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
bK7G.exedescription pid process Token: SeDebugPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe Token: 33 1744 bK7G.exe Token: SeIncBasePriorityPrivilege 1744 bK7G.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bK7G.execmd.exedescription pid process target process PID 1744 wrote to memory of 4972 1744 bK7G.exe netsh.exe PID 1744 wrote to memory of 4972 1744 bK7G.exe netsh.exe PID 1744 wrote to memory of 4972 1744 bK7G.exe netsh.exe PID 1744 wrote to memory of 1076 1744 bK7G.exe netsh.exe PID 1744 wrote to memory of 1076 1744 bK7G.exe netsh.exe PID 1744 wrote to memory of 1076 1744 bK7G.exe netsh.exe PID 1744 wrote to memory of 5048 1744 bK7G.exe cmd.exe PID 1744 wrote to memory of 5048 1744 bK7G.exe cmd.exe PID 1744 wrote to memory of 5048 1744 bK7G.exe cmd.exe PID 5048 wrote to memory of 2000 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 2000 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 2000 5048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bK7G.exe"C:\Users\Admin\AppData\Local\Temp\bK7G.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe" "bK7G.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1744-133-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/1744-134-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/1744-135-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/1744-136-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB