Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 22:23
Behavioral task
behavioral1
Sample
b7dbdae666095355c2b1737459f7b8df.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
b7dbdae666095355c2b1737459f7b8df.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b7dbdae666095355c2b1737459f7b8df.exe
-
Size
93KB
-
MD5
b7dbdae666095355c2b1737459f7b8df
-
SHA1
f0b46ba9cc1d1c262ebc1ee65cc15273eb6c4226
-
SHA256
b640ee680aedb79ac683a15f29e96b866ac4994171f3ec7aa0dacf75499efa7a
-
SHA512
c8281807c050dd442157e73d2a105c86973aeff4728f4dc7d407325e00690399dbae69024fcc5991e6add0490e2df07584ace6c4ebd16696da24352c55a41dbd
-
SSDEEP
1536:JUk1GkeUqZJO5iNSimjEwzGi1dDADQgS:JUPUqZJOQAOi1dG5
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b7dbdae666095355c2b1737459f7b8df.exepid process 3456 b7dbdae666095355c2b1737459f7b8df.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
b7dbdae666095355c2b1737459f7b8df.exedescription pid process Token: SeDebugPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: 33 3456 b7dbdae666095355c2b1737459f7b8df.exe Token: SeIncBasePriorityPrivilege 3456 b7dbdae666095355c2b1737459f7b8df.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b7dbdae666095355c2b1737459f7b8df.exedescription pid process target process PID 3456 wrote to memory of 4012 3456 b7dbdae666095355c2b1737459f7b8df.exe netsh.exe PID 3456 wrote to memory of 4012 3456 b7dbdae666095355c2b1737459f7b8df.exe netsh.exe PID 3456 wrote to memory of 4012 3456 b7dbdae666095355c2b1737459f7b8df.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7dbdae666095355c2b1737459f7b8df.exe"C:\Users\Admin\AppData\Local\Temp\b7dbdae666095355c2b1737459f7b8df.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b7dbdae666095355c2b1737459f7b8df.exe" "b7dbdae666095355c2b1737459f7b8df.exe" ENABLE2⤵
- Modifies Windows Firewall