Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 05:08
Behavioral task
behavioral1
Sample
bK7F.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
bK7F.exe
-
Size
23KB
-
MD5
59645ca85405fac3881899a293149272
-
SHA1
a6fe815e16b0f0dbec37b553ec1d7ff4ac97f08f
-
SHA256
546d7be50a9f2e5172fe46d3e20031f8d743d1f1cca29a432dfa3df9d109e292
-
SHA512
ea3ff11fcad38c916a0b7c5266f9eaa69ff0d8bd36e9b1a768b407a70b32460d3d80e1b068c82e3981a6fb399a8fac02b2b914493df5ad7900627d6b27ee62e1
-
SSDEEP
384:3oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZMo:Q7O89p2rRpcnu6
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
bK7F.exedescription pid process Token: SeDebugPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe Token: 33 1476 bK7F.exe Token: SeIncBasePriorityPrivilege 1476 bK7F.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bK7F.exedescription pid process target process PID 1476 wrote to memory of 1700 1476 bK7F.exe netsh.exe PID 1476 wrote to memory of 1700 1476 bK7F.exe netsh.exe PID 1476 wrote to memory of 1700 1476 bK7F.exe netsh.exe PID 1476 wrote to memory of 1700 1476 bK7F.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bK7F.exe"C:\Users\Admin\AppData\Local\Temp\bK7F.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bK7F.exe" "bK7F.exe" ENABLE2⤵
- Modifies Windows Firewall