Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-04-2023 02:03
Behavioral task
behavioral1
Sample
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe
Resource
win10v2004-20230220-en
General
-
Target
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe
-
Size
37KB
-
MD5
cb3b0b29603049aa3bdb6d9b9a2b2cb9
-
SHA1
09e50c801100bad1ec717b1d3b05a3ba91984c08
-
SHA256
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc
-
SHA512
51686b84dfd697379d445f1e48177fc12b2e454eeb62b8b9091226594999808813ccf0b4e39275b2b2fb8e605df658419b119411186c95dfc31994b15fdad3f8
-
SSDEEP
384:wyoPVSikmD0NVtv/Vey0bEGfFdIs+yvErAF+rMRTyN/0L+EcoinblneHQM3epzXL:94HO1VV0bEGHIVycrM+rMRa8NuRRt
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecadd18227360ae705bfde0ceb02fa9.exe 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecadd18227360ae705bfde0ceb02fa9.exe 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ecadd18227360ae705bfde0ceb02fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe\" .." 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4ecadd18227360ae705bfde0ceb02fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe\" .." 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exepid process 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exepid process 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exedescription pid process Token: SeDebugPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: 33 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe Token: SeIncBasePriorityPrivilege 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exedescription pid process target process PID 1088 wrote to memory of 1728 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe netsh.exe PID 1088 wrote to memory of 1728 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe netsh.exe PID 1088 wrote to memory of 1728 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe netsh.exe PID 1088 wrote to memory of 1728 1088 81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe"C:\Users\Admin\AppData\Local\Temp\81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe" "81707f63a5a759d1ec24ef88500899d43023921001350b885babecb0b82891fc.exe" ENABLE2⤵
- Modifies Windows Firewall