Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2023 21:21
Behavioral task
behavioral1
Sample
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe
-
Size
37KB
-
MD5
cb3b0b29603049aa3bdb6d9b9a2b2cb9
-
SHA1
09e50c801100bad1ec717b1d3b05a3ba91984c08
-
SHA256
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc
-
SHA512
51686b84dfd697379d445f1e48177fc12b2e454eeb62b8b9091226594999808813ccf0b4e39275b2b2fb8e605df658419b119411186c95dfc31994b15fdad3f8
-
SSDEEP
384:wyoPVSikmD0NVtv/Vey0bEGfFdIs+yvErAF+rMRTyN/0L+EcoinblneHQM3epzXL:94HO1VV0bEGHIVycrM+rMRa8NuRRt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecadd18227360ae705bfde0ceb02fa9.exe cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecadd18227360ae705bfde0ceb02fa9.exe cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ecadd18227360ae705bfde0ceb02fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe\" .." cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ecadd18227360ae705bfde0ceb02fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe\" .." cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exepid process 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exepid process 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exedescription pid process Token: SeDebugPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: 33 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe Token: SeIncBasePriorityPrivilege 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cb3b0b29603049aa3bdb6d9b9a2b2cb9.exedescription pid process target process PID 832 wrote to memory of 1532 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe netsh.exe PID 832 wrote to memory of 1532 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe netsh.exe PID 832 wrote to memory of 1532 832 cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe"C:\Users\Admin\AppData\Local\Temp\cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe" "cb3b0b29603049aa3bdb6d9b9a2b2cb9.exe" ENABLE2⤵
- Modifies Windows Firewall