Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 23:56
Behavioral task
behavioral1
Sample
baa39b6dd7f993583c3c877f33972906.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
baa39b6dd7f993583c3c877f33972906.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
baa39b6dd7f993583c3c877f33972906.exe
-
Size
37KB
-
MD5
baa39b6dd7f993583c3c877f33972906
-
SHA1
39608e3f124aaf0ae73b94ed1b79bfb4959c5370
-
SHA256
7527323a12bb2682047a438f8eb0b1ea4049e0733202fe0597e48dc00c1f23a4
-
SHA512
c27f55455eab3507b399a7fe15662485c780a43dd259f44f4faf0e2db804cc4f8b0dc25f5c34ba5ee050ddac528f6d1a0385a67f34c80449d0a1d0cceabca3f1
-
SSDEEP
384:4KwCT0i9rdTe/kCOyU7jcnZ8DfmTdrAF+rMRTyN/0L+EcoinblneHQM3epzXKNrY:R1J1CFU7jcC7m5rM+rMRa8NuYWt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
baa39b6dd7f993583c3c877f33972906.exedescription pid process Token: SeDebugPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe Token: 33 1196 baa39b6dd7f993583c3c877f33972906.exe Token: SeIncBasePriorityPrivilege 1196 baa39b6dd7f993583c3c877f33972906.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
baa39b6dd7f993583c3c877f33972906.exedescription pid process target process PID 1196 wrote to memory of 908 1196 baa39b6dd7f993583c3c877f33972906.exe netsh.exe PID 1196 wrote to memory of 908 1196 baa39b6dd7f993583c3c877f33972906.exe netsh.exe PID 1196 wrote to memory of 908 1196 baa39b6dd7f993583c3c877f33972906.exe netsh.exe PID 1196 wrote to memory of 908 1196 baa39b6dd7f993583c3c877f33972906.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa39b6dd7f993583c3c877f33972906.exe"C:\Users\Admin\AppData\Local\Temp\baa39b6dd7f993583c3c877f33972906.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\baa39b6dd7f993583c3c877f33972906.exe" "baa39b6dd7f993583c3c877f33972906.exe" ENABLE2⤵
- Modifies Windows Firewall