Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2023 03:06
Behavioral task
behavioral1
Sample
c47ab566d6ea85d027927ce1090a1fc2.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
c47ab566d6ea85d027927ce1090a1fc2.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
c47ab566d6ea85d027927ce1090a1fc2.exe
-
Size
37KB
-
MD5
c47ab566d6ea85d027927ce1090a1fc2
-
SHA1
f2d76803ce7b3bcacc04465e1b81332969cc8096
-
SHA256
d0e0d585d9d3840cc31c2367e97215d025f2bb80f21e38a81294fd41277871d7
-
SHA512
bf778fcb8edd662ca85d471ca6d4b66bd0d5a6c7e333c3b3c8a06ec5689f452c2e6caa2836c5fa35cc03bc938c47455267ff87aa217534d300bf24881a724e82
-
SSDEEP
384:9mOq0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM3R:fLdGdkrgYRwWS9rM+rMRa8Nu6Jt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
c47ab566d6ea85d027927ce1090a1fc2.exedescription pid process Token: SeDebugPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: 33 904 c47ab566d6ea85d027927ce1090a1fc2.exe Token: SeIncBasePriorityPrivilege 904 c47ab566d6ea85d027927ce1090a1fc2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c47ab566d6ea85d027927ce1090a1fc2.exedescription pid process target process PID 904 wrote to memory of 816 904 c47ab566d6ea85d027927ce1090a1fc2.exe netsh.exe PID 904 wrote to memory of 816 904 c47ab566d6ea85d027927ce1090a1fc2.exe netsh.exe PID 904 wrote to memory of 816 904 c47ab566d6ea85d027927ce1090a1fc2.exe netsh.exe PID 904 wrote to memory of 816 904 c47ab566d6ea85d027927ce1090a1fc2.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c47ab566d6ea85d027927ce1090a1fc2.exe"C:\Users\Admin\AppData\Local\Temp\c47ab566d6ea85d027927ce1090a1fc2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c47ab566d6ea85d027927ce1090a1fc2.exe" "c47ab566d6ea85d027927ce1090a1fc2.exe" ENABLE2⤵
- Modifies Windows Firewall