da83ebf186d48f78f9aa8fd6c67d50141c20a104696697373badd324555b4c96

Analysis

max time kernel
142s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 00:16

Target

0d8b76317dbfa4482bc07bc247df8f25.exe
Size

31KB
MD5

0d8b76317dbfa4482bc07bc247df8f25
SHA1

236b3b64330227d5d34bda71703945747ecacf06
SHA256

da83ebf186d48f78f9aa8fd6c67d50141c20a104696697373badd324555b4c96
SHA512

807b7f22dd6fc7dece192ecc817d4471772134d4b48c08bd4f689d80aa4cd248eadd6625a2360bfef30f14dd54dd55c99e23ce88d8cf4d2c5af947f1978aa238
SSDEEP

768:8rzgfV5VXPKzxF+dtYjK/L+rvAJQmIDUu0tiJsj:/fqci4QVknj

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1368 netsh.exe

pid	process
1368	netsh.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

0d8b76317dbfa4482bc07bc247df8f25.exe

description	pid	process
Token: SeDebugPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: 33	916	0d8b76317dbfa4482bc07bc247df8f25.exe
Token: SeIncBasePriorityPrivilege	916	0d8b76317dbfa4482bc07bc247df8f25.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0d8b76317dbfa4482bc07bc247df8f25.exe

description	pid	process	target process
PID 916 wrote to memory of 1368	916	0d8b76317dbfa4482bc07bc247df8f25.exe	netsh.exe
PID 916 wrote to memory of 1368	916	0d8b76317dbfa4482bc07bc247df8f25.exe	netsh.exe
PID 916 wrote to memory of 1368	916	0d8b76317dbfa4482bc07bc247df8f25.exe	netsh.exe
PID 916 wrote to memory of 1368	916	0d8b76317dbfa4482bc07bc247df8f25.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0d8b76317dbfa4482bc07bc247df8f25.exe" "0d8b76317dbfa4482bc07bc247df8f25.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1368

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/916-54-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/916-55-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/916-56-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/916-57-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download