Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 14:06
Behavioral task
behavioral1
Sample
h.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
h.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
h.exe
-
Size
37KB
-
MD5
629c0dfd3a9b0377cfe5f04629dc6b7f
-
SHA1
c4f7e46c7d2c6ee69d0747874a3a215101931751
-
SHA256
8026b74f56f884cf8aa106f6263dafdcad5b2bd8b458578aea30cc397e0de7c1
-
SHA512
4cf763c2b324bbf06fad474816fd8452c8917066c9f5e46bb852a6bb7f3951c1d7fa9c60a874de3f2c367b20b8dd3845a00811ba6ca9c55e67fa8610fa2367af
-
SSDEEP
384:DeLx1kit8Zf5W9cTYXyc/bBM0izvncnPMIurAF+rMRTyN/0L+EcoinblneHQM3ei:CLxKjjTYic/be0PM/rM+rMRa8NuH2t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
h.exedescription pid process Token: SeDebugPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe Token: 33 3452 h.exe Token: SeIncBasePriorityPrivilege 3452 h.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
h.exedescription pid process target process PID 3452 wrote to memory of 208 3452 h.exe netsh.exe PID 3452 wrote to memory of 208 3452 h.exe netsh.exe PID 3452 wrote to memory of 208 3452 h.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\h.exe"C:\Users\Admin\AppData\Local\Temp\h.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\h.exe" "h.exe" ENABLE2⤵
- Modifies Windows Firewall