8c402138d923ed8e4403dd04010eaa9c593f42fc02c5fa349774c44d8dda006e

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bK7G.exe
Size

23KB
MD5

227368ebab549d28b20ce786f72320c7
SHA1

50f7d115ef22a2ea3d906af5e675f416ee78b5b8
SHA256

8c402138d923ed8e4403dd04010eaa9c593f42fc02c5fa349774c44d8dda006e
SHA512

9fd1d82ba2c09c23280ab00cf99790d2c66d1c4e1ebed32b6e8f5ab5f27814d95c800b18da216656b536f3f0cb1c069a29ada8ec46c6a8805e9dc2a630651f39
SSDEEP

384:0oWtkEwn65rgjAsGipk58D16xgXakhbZD0mRvR6JZlbw8hqIusZzZMQ:j7O89pbrRpcnui

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1220	netsh.exe
4912	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1180	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	bK7G.exe
Token: 33	1240	bK7G.exe
Token: SeIncBasePriorityPrivilege	1240	bK7G.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1220	1240	bK7G.exe	94
PID 1240 wrote to memory of 1220	1240	bK7G.exe	94
PID 1240 wrote to memory of 1220	1240	bK7G.exe	94
PID 1240 wrote to memory of 4912	1240	bK7G.exe	98
PID 1240 wrote to memory of 4912	1240	bK7G.exe	98
PID 1240 wrote to memory of 4912	1240	bK7G.exe	98
PID 1240 wrote to memory of 4432	1240	bK7G.exe	99
PID 1240 wrote to memory of 4432	1240	bK7G.exe	99
PID 1240 wrote to memory of 4432	1240	bK7G.exe	99
PID 4432 wrote to memory of 1180	4432	cmd.exe	102
PID 4432 wrote to memory of 1180	4432	cmd.exe	102
PID 4432 wrote to memory of 1180	4432	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\bK7G.exe
"C:\Users\Admin\AppData\Local\Temp\bK7G.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe" "bK7G.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1220
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\bK7G.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - Runs ping.exe
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-133-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/1240-134-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/1240-135-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download