612b31c7cd1ce6c052c1eeea21645f4e45bc071c9d145c8ecd230484f16cb55b

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 06:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c32715c14d607191839298a5ab1e55de.exe
Size

37KB
MD5

c32715c14d607191839298a5ab1e55de
SHA1

4fbb915f8f5d752a1c79174d398d04d31d363f89
SHA256

612b31c7cd1ce6c052c1eeea21645f4e45bc071c9d145c8ecd230484f16cb55b
SHA512

92a3dc91bfcf669c8ab3e730d866dc0983116e5fa707901290f9cfe07b6e96604e3831a03387bf794dead2f06aeed8d313dca87708a845454b20b6ca1e5e134b
SSDEEP

384:bESvEiTbTvpWNcZ0y8fvCv3v3cLkacJE0rAF+rMRTyN/0L+EcoinblneHQM3epzN:wS7TZ38fvCv3E1cprM+rMRa8Nu7dt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2840	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Kills process with taskkill 1 IoCs

evasion

pid	Process
4364	taskkill.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe
Token: 33	5084	c32715c14d607191839298a5ab1e55de.exe
Token: SeIncBasePriorityPrivilege	5084	c32715c14d607191839298a5ab1e55de.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2840	5084	c32715c14d607191839298a5ab1e55de.exe	82
PID 5084 wrote to memory of 2840	5084	c32715c14d607191839298a5ab1e55de.exe	82
PID 5084 wrote to memory of 2840	5084	c32715c14d607191839298a5ab1e55de.exe	82
PID 5084 wrote to memory of 4364	5084	c32715c14d607191839298a5ab1e55de.exe	83
PID 5084 wrote to memory of 4364	5084	c32715c14d607191839298a5ab1e55de.exe	83
PID 5084 wrote to memory of 4364	5084	c32715c14d607191839298a5ab1e55de.exe	83

C:\Users\Admin\AppData\Local\Temp\c32715c14d607191839298a5ab1e55de.exe
"C:\Users\Admin\AppData\Local\Temp\c32715c14d607191839298a5ab1e55de.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c32715c14d607191839298a5ab1e55de.exe" "c32715c14d607191839298a5ab1e55de.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Exsample.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5084-133-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/5084-134-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads