f5cb673a1908c5d618e56e76a40d174076a86f87fbe2a45ceb08b98557baf37a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Size

37KB
MD5

a34aad8b44cf60e0d78cb7b5df04e7a9
SHA1

f45889eec7f3d9e33deb6bbcff54b1cefb5c064c
SHA256

f5cb673a1908c5d618e56e76a40d174076a86f87fbe2a45ceb08b98557baf37a
SHA512

2356cf3ee4dfb2ef1303159d4f1d47c72df0e233e4b661fa9c83502ce499f34515777307ff2e135e8bc5d52f0e4d1c6789a83112a2382eeead7e3cab878fa156
SSDEEP

384:r55zqi0ZJZtbH9KyM+2BzmW3VIsmabXrAF+rMRTyN/0L+EcoinblneHQM3epzX/I:t+J95M+2B6Wa9abrM+rMRa8NuxYt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2100	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: 33	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe
Token: SeIncBasePriorityPrivilege	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2100	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe	85
PID 956 wrote to memory of 2100	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe	85
PID 956 wrote to memory of 2100	956	a34aad8b44cf60e0d78cb7b5df04e7a9.exe	85

C:\Users\Admin\AppData\Local\Temp\a34aad8b44cf60e0d78cb7b5df04e7a9.exe
"C:\Users\Admin\AppData\Local\Temp\a34aad8b44cf60e0d78cb7b5df04e7a9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a34aad8b44cf60e0d78cb7b5df04e7a9.exe" "a34aad8b44cf60e0d78cb7b5df04e7a9.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-133-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/956-134-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download