d0e0d585d9d3840cc31c2367e97215d025f2bb80f21e38a81294fd41277871d7

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 03:06

Target

c47ab566d6ea85d027927ce1090a1fc2.exe
Size

37KB
MD5

c47ab566d6ea85d027927ce1090a1fc2
SHA1

f2d76803ce7b3bcacc04465e1b81332969cc8096
SHA256

d0e0d585d9d3840cc31c2367e97215d025f2bb80f21e38a81294fd41277871d7
SHA512

bf778fcb8edd662ca85d471ca6d4b66bd0d5a6c7e333c3b3c8a06ec5689f452c2e6caa2836c5fa35cc03bc938c47455267ff87aa217534d300bf24881a724e82
SSDEEP

384:9mOq0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3R:fLdGdkrgYRwWS9rM+rMRa8Nu6Jt

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

816 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
816	netsh.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

c47ab566d6ea85d027927ce1090a1fc2.exe

description	pid	process
Token: SeDebugPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: 33	904	c47ab566d6ea85d027927ce1090a1fc2.exe
Token: SeIncBasePriorityPrivilege	904	c47ab566d6ea85d027927ce1090a1fc2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c47ab566d6ea85d027927ce1090a1fc2.exe

description	pid	process	target process
PID 904 wrote to memory of 816	904	c47ab566d6ea85d027927ce1090a1fc2.exe	netsh.exe
PID 904 wrote to memory of 816	904	c47ab566d6ea85d027927ce1090a1fc2.exe	netsh.exe
PID 904 wrote to memory of 816	904	c47ab566d6ea85d027927ce1090a1fc2.exe	netsh.exe
PID 904 wrote to memory of 816	904	c47ab566d6ea85d027927ce1090a1fc2.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c47ab566d6ea85d027927ce1090a1fc2.exe" "c47ab566d6ea85d027927ce1090a1fc2.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:816

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

memory/904-54-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/904-55-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download