Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-03-2023 12:34
Behavioral task
behavioral1
Sample
installer.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
installer.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
installer.exe
-
Size
37KB
-
MD5
d9aaecfddd720609cf1e184629f324cf
-
SHA1
a5efe468f574d1b25e0b42ea532ed9c8e23d58b1
-
SHA256
011d9a9d17d657eb4d196d9f40ae350a220e708e301ca0cc8253943b1c79c69e
-
SHA512
e1da056f310df61710a2a0eba8123a49ed00b2b4053ac7a74fd3947d0809c4a3d2ccc0748ea123b6b6a04904a38482b03046ce09d7b3a726c7253d9976244a79
-
SSDEEP
384:+KqIiuVjtD+P3V+y0bf2TKtvN4suKfdrAF+rMRTyN/0L+EcoinblneHQM3epzX6D:DNmV10bf2TKtClK1rM+rMRa8NuABt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
installer.exedescription pid process Token: SeDebugPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe Token: 33 1388 installer.exe Token: SeIncBasePriorityPrivilege 1388 installer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
installer.exedescription pid process target process PID 1388 wrote to memory of 1296 1388 installer.exe netsh.exe PID 1388 wrote to memory of 1296 1388 installer.exe netsh.exe PID 1388 wrote to memory of 1296 1388 installer.exe netsh.exe PID 1388 wrote to memory of 1296 1388 installer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\installer.exe" "installer.exe" ENABLE2⤵
- Modifies Windows Firewall