e79459dc4c5898824dc2d32d24bcd0156e699fbdafb68ba6e5daa43cce5cbdda

Analysis

max time kernel
142s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2023, 21:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b701e3585e852755624bc4965e7af509.exe
Size

37KB
MD5

b701e3585e852755624bc4965e7af509
SHA1

38f7bee5480c1f5d0b08d7d072c0980971a9eda9
SHA256

e79459dc4c5898824dc2d32d24bcd0156e699fbdafb68ba6e5daa43cce5cbdda
SHA512

99c57bb8d95a1a5654ab962de3de516552ef6652cad0169ba54a79b9371986fea60171e5e8ef0ccd2f871c766f36c3cb9a19ddd6de464d871ec3262cb584ae95
SSDEEP

384:IKwCT0i9rdTe/kCOyU7jcnZ8DfmTgrAF+rMRTyN/0L+EcoinblneHQM3epzXKNrW:h1J1CFU7jcC7m8rM+rMRa8NuYot

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4712	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe
Token: 33	1740	b701e3585e852755624bc4965e7af509.exe
Token: SeIncBasePriorityPrivilege	1740	b701e3585e852755624bc4965e7af509.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4712	1740	b701e3585e852755624bc4965e7af509.exe	91
PID 1740 wrote to memory of 4712	1740	b701e3585e852755624bc4965e7af509.exe	91
PID 1740 wrote to memory of 4712	1740	b701e3585e852755624bc4965e7af509.exe	91

C:\Users\Admin\AppData\Local\Temp\b701e3585e852755624bc4965e7af509.exe
"C:\Users\Admin\AppData\Local\Temp\b701e3585e852755624bc4965e7af509.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b701e3585e852755624bc4965e7af509.exe" "b701e3585e852755624bc4965e7af509.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-133-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/1740-134-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download