Analysis
-
max time kernel
33s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 04:10
Behavioral task
behavioral1
Sample
bK7G.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bK7G.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
bK7G.exe
-
Size
23KB
-
MD5
227368ebab549d28b20ce786f72320c7
-
SHA1
50f7d115ef22a2ea3d906af5e675f416ee78b5b8
-
SHA256
8c402138d923ed8e4403dd04010eaa9c593f42fc02c5fa349774c44d8dda006e
-
SHA512
9fd1d82ba2c09c23280ab00cf99790d2c66d1c4e1ebed32b6e8f5ab5f27814d95c800b18da216656b536f3f0cb1c069a29ada8ec46c6a8805e9dc2a630651f39
-
SSDEEP
384:0oWtkEwn65rgjAsGipk58D16xgXakhbZD0mRvR6JZlbw8hqIusZzZMQ:j7O89pbrRpcnui
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1540 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
bK7G.exedescription pid process Token: SeDebugPrivilege 2036 bK7G.exe Token: 33 2036 bK7G.exe Token: SeIncBasePriorityPrivilege 2036 bK7G.exe Token: 33 2036 bK7G.exe Token: SeIncBasePriorityPrivilege 2036 bK7G.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
bK7G.execmd.exedescription pid process target process PID 2036 wrote to memory of 1672 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 1672 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 1672 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 1672 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 604 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 604 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 604 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 604 2036 bK7G.exe netsh.exe PID 2036 wrote to memory of 1540 2036 bK7G.exe cmd.exe PID 2036 wrote to memory of 1540 2036 bK7G.exe cmd.exe PID 2036 wrote to memory of 1540 2036 bK7G.exe cmd.exe PID 2036 wrote to memory of 1540 2036 bK7G.exe cmd.exe PID 1540 wrote to memory of 1656 1540 cmd.exe PING.EXE PID 1540 wrote to memory of 1656 1540 cmd.exe PING.EXE PID 1540 wrote to memory of 1656 1540 cmd.exe PING.EXE PID 1540 wrote to memory of 1656 1540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bK7G.exe"C:\Users\Admin\AppData\Local\Temp\bK7G.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe" "bK7G.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2036-54-0x0000000000B50000-0x0000000000B90000-memory.dmpFilesize
256KB
-
memory/2036-55-0x0000000000B50000-0x0000000000B90000-memory.dmpFilesize
256KB
-
memory/2036-56-0x0000000000B50000-0x0000000000B90000-memory.dmpFilesize
256KB
-
memory/2036-57-0x0000000000B50000-0x0000000000B90000-memory.dmpFilesize
256KB