Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 22:55
Behavioral task
behavioral1
Sample
b8f8323ffe1e53ad1993f6f0fc91d38c.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
b8f8323ffe1e53ad1993f6f0fc91d38c.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b8f8323ffe1e53ad1993f6f0fc91d38c.exe
-
Size
93KB
-
MD5
b8f8323ffe1e53ad1993f6f0fc91d38c
-
SHA1
2c9fc140de6f527fd62482428c89b3b8a9e0b2ab
-
SHA256
016404b6167e37de1d2ca10010bab8b33dd102eca84b6e49d62f28a082004732
-
SHA512
d53990669b279c7a537a04e83f21410fc0e7824dd41700fb3d09496ffcf2934a4b2b05cd6be000873ddf786b39ddfc55685b692e5293d915e14a1cc082b8fb14
-
SSDEEP
1536:Cl+C+xhUa9urgOBPmNvM4jEwzGi1dDdDkgS:ClIUa9urgOkdGi1dJd
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2744 netsh.exe 1616 netsh.exe 3264 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b8f8323ffe1e53ad1993f6f0fc91d38c.exepid process 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
b8f8323ffe1e53ad1993f6f0fc91d38c.exedescription pid process Token: SeDebugPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: 33 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe Token: SeIncBasePriorityPrivilege 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b8f8323ffe1e53ad1993f6f0fc91d38c.exedescription pid process target process PID 3724 wrote to memory of 3264 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 3264 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 3264 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 2744 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 2744 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 2744 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 1616 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 1616 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe PID 3724 wrote to memory of 1616 3724 b8f8323ffe1e53ad1993f6f0fc91d38c.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8f8323ffe1e53ad1993f6f0fc91d38c.exe"C:\Users\Admin\AppData\Local\Temp\b8f8323ffe1e53ad1993f6f0fc91d38c.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b8f8323ffe1e53ad1993f6f0fc91d38c.exe" "b8f8323ffe1e53ad1993f6f0fc91d38c.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\b8f8323ffe1e53ad1993f6f0fc91d38c.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b8f8323ffe1e53ad1993f6f0fc91d38c.exe" "b8f8323ffe1e53ad1993f6f0fc91d38c.exe" ENABLE2⤵
- Modifies Windows Firewall