Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 22:06
Behavioral task
behavioral1
Sample
b7a78039c28b0651b98e724e467b7ae2.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
b7a78039c28b0651b98e724e467b7ae2.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
b7a78039c28b0651b98e724e467b7ae2.exe
-
Size
93KB
-
MD5
b7a78039c28b0651b98e724e467b7ae2
-
SHA1
ec86bf60519e232be075af5f3adc11464e5ac35d
-
SHA256
76a792f785b44066a7b802ef54cb979562357151be7e4eb5624dc929799603ba
-
SHA512
bfee74ee135312163e06ee13bece5459b25065b28796e1bef1f03101a46ec0f5090a5318aa21dd51e2c167f39ed1993c54799eb15a36c33365ef40fd7eaadd73
-
SSDEEP
1536:nUNJD/HBZbszKu9AZp77r1jEwzGi1dDswDxgS:nUUzK4AZtHCi1dDu
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b7a78039c28b0651b98e724e467b7ae2.exepid process 2772 b7a78039c28b0651b98e724e467b7ae2.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
b7a78039c28b0651b98e724e467b7ae2.exedescription pid process Token: SeDebugPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: 33 2772 b7a78039c28b0651b98e724e467b7ae2.exe Token: SeIncBasePriorityPrivilege 2772 b7a78039c28b0651b98e724e467b7ae2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b7a78039c28b0651b98e724e467b7ae2.exedescription pid process target process PID 2772 wrote to memory of 2688 2772 b7a78039c28b0651b98e724e467b7ae2.exe netsh.exe PID 2772 wrote to memory of 2688 2772 b7a78039c28b0651b98e724e467b7ae2.exe netsh.exe PID 2772 wrote to memory of 2688 2772 b7a78039c28b0651b98e724e467b7ae2.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7a78039c28b0651b98e724e467b7ae2.exe"C:\Users\Admin\AppData\Local\Temp\b7a78039c28b0651b98e724e467b7ae2.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b7a78039c28b0651b98e724e467b7ae2.exe" "b7a78039c28b0651b98e724e467b7ae2.exe" ENABLE2⤵
- Modifies Windows Firewall