Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 11:01
Behavioral task
behavioral1
Sample
4ac97876e13ba932cc9f7c00173fd958.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
4ac97876e13ba932cc9f7c00173fd958.exe
-
Size
37KB
-
MD5
4ac97876e13ba932cc9f7c00173fd958
-
SHA1
1c84938b4cf33bb6f4fd2cd5bf4734fda614bb6c
-
SHA256
1c6935c5622b81350dffeed2f9fcd6c43645f73bb88d697d927495f45d02411b
-
SHA512
4ec6852d9883f9ef932755a39fba1877e410e458a534718c42e6558ff38420b779e807bd408ae41396b60cacc983290fb75e5a7f8897728efff26624f2c844c5
-
SSDEEP
384:LmOs0IiejvCVLO309QmykrtG+dA+VCwvOSifrAF+rMRTyN/0L+EcoinblneHQM32:RFdGdkrgYUwWS0rM+rMRa8NuL3t
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
4ac97876e13ba932cc9f7c00173fd958.exedescription pid process Token: SeDebugPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: 33 2880 4ac97876e13ba932cc9f7c00173fd958.exe Token: SeIncBasePriorityPrivilege 2880 4ac97876e13ba932cc9f7c00173fd958.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4ac97876e13ba932cc9f7c00173fd958.exedescription pid process target process PID 2880 wrote to memory of 436 2880 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe PID 2880 wrote to memory of 436 2880 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe PID 2880 wrote to memory of 436 2880 4ac97876e13ba932cc9f7c00173fd958.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ac97876e13ba932cc9f7c00173fd958.exe"C:\Users\Admin\AppData\Local\Temp\4ac97876e13ba932cc9f7c00173fd958.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4ac97876e13ba932cc9f7c00173fd958.exe" "4ac97876e13ba932cc9f7c00173fd958.exe" ENABLE2⤵
- Modifies Windows Firewall