Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 04:10
Behavioral task
behavioral1
Sample
bK7G.exe
Resource
win7-20230220-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bK7G.exe
Resource
win10v2004-20230220-en
5 signatures
150 seconds
General
-
Target
bK7G.exe
-
Size
23KB
-
MD5
227368ebab549d28b20ce786f72320c7
-
SHA1
50f7d115ef22a2ea3d906af5e675f416ee78b5b8
-
SHA256
8c402138d923ed8e4403dd04010eaa9c593f42fc02c5fa349774c44d8dda006e
-
SHA512
9fd1d82ba2c09c23280ab00cf99790d2c66d1c4e1ebed32b6e8f5ab5f27814d95c800b18da216656b536f3f0cb1c069a29ada8ec46c6a8805e9dc2a630651f39
-
SSDEEP
384:0oWtkEwn65rgjAsGipk58D16xgXakhbZD0mRvR6JZlbw8hqIusZzZMQ:j7O89pbrRpcnui
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bK7G.exedescription pid process Token: SeDebugPrivilege 1240 bK7G.exe Token: 33 1240 bK7G.exe Token: SeIncBasePriorityPrivilege 1240 bK7G.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bK7G.execmd.exedescription pid process target process PID 1240 wrote to memory of 1220 1240 bK7G.exe netsh.exe PID 1240 wrote to memory of 1220 1240 bK7G.exe netsh.exe PID 1240 wrote to memory of 1220 1240 bK7G.exe netsh.exe PID 1240 wrote to memory of 4912 1240 bK7G.exe netsh.exe PID 1240 wrote to memory of 4912 1240 bK7G.exe netsh.exe PID 1240 wrote to memory of 4912 1240 bK7G.exe netsh.exe PID 1240 wrote to memory of 4432 1240 bK7G.exe cmd.exe PID 1240 wrote to memory of 4432 1240 bK7G.exe cmd.exe PID 1240 wrote to memory of 4432 1240 bK7G.exe cmd.exe PID 4432 wrote to memory of 1180 4432 cmd.exe PING.EXE PID 4432 wrote to memory of 1180 4432 cmd.exe PING.EXE PID 4432 wrote to memory of 1180 4432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bK7G.exe"C:\Users\Admin\AppData\Local\Temp\bK7G.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe" "bK7G.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- Runs ping.exe