Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 11:01
Behavioral task
behavioral1
Sample
4ac97876e13ba932cc9f7c00173fd958.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
4ac97876e13ba932cc9f7c00173fd958.exe
-
Size
37KB
-
MD5
4ac97876e13ba932cc9f7c00173fd958
-
SHA1
1c84938b4cf33bb6f4fd2cd5bf4734fda614bb6c
-
SHA256
1c6935c5622b81350dffeed2f9fcd6c43645f73bb88d697d927495f45d02411b
-
SHA512
4ec6852d9883f9ef932755a39fba1877e410e458a534718c42e6558ff38420b779e807bd408ae41396b60cacc983290fb75e5a7f8897728efff26624f2c844c5
-
SSDEEP
384:LmOs0IiejvCVLO309QmykrtG+dA+VCwvOSifrAF+rMRTyN/0L+EcoinblneHQM32:RFdGdkrgYUwWS0rM+rMRa8NuL3t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
4ac97876e13ba932cc9f7c00173fd958.exedescription pid process Token: SeDebugPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2008 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2008 4ac97876e13ba932cc9f7c00173fd958.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4ac97876e13ba932cc9f7c00173fd958.exedescription pid process target process PID 2008 wrote to memory of 1996 2008 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe PID 2008 wrote to memory of 1996 2008 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe PID 2008 wrote to memory of 1996 2008 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe PID 2008 wrote to memory of 1996 2008 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ac97876e13ba932cc9f7c00173fd958.exe"C:\Users\Admin\AppData\Local\Temp\4ac97876e13ba932cc9f7c00173fd958.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4ac97876e13ba932cc9f7c00173fd958.exe" "4ac97876e13ba932cc9f7c00173fd958.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2008-54-0x0000000000B70000-0x0000000000BB0000-memory.dmpFilesize
256KB