47d7951e77aaff5f193efb39d5d9111cda39bbe07ea58595d4e33ce173e7df57

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a868db74f08e1fc888b6afb.exe
Size

37KB
MD5

38a868db74f08e1fc888b6afb631be59
SHA1

b8007e5c2f2b1986949802b7f6cec7a9d94a63f9
SHA256

47d7951e77aaff5f193efb39d5d9111cda39bbe07ea58595d4e33ce173e7df57
SHA512

43d0ce6f87076fb038c2df401aea6391d751b6d76829fe6446633f755fe3233848e0405fc77de2d0b075d0fde0e86ed016116ba7af204b664171727793f326e7
SSDEEP

384:BmqQilQhHeTnMGiyMTFU3nuj346arAF+rMRTyN/0L+EcoinblneHQM3epzXBBNrT:kLSMGxMTFUej4xrM+rMRa8Nutjt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
788	netsh.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe
Token: 33	1620	38a868db74f08e1fc888b6afb.exe
Token: SeIncBasePriorityPrivilege	1620	38a868db74f08e1fc888b6afb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 788	1620	38a868db74f08e1fc888b6afb.exe	29
PID 1620 wrote to memory of 788	1620	38a868db74f08e1fc888b6afb.exe	29
PID 1620 wrote to memory of 788	1620	38a868db74f08e1fc888b6afb.exe	29
PID 1620 wrote to memory of 788	1620	38a868db74f08e1fc888b6afb.exe	29

C:\Users\Admin\AppData\Local\Temp\38a868db74f08e1fc888b6afb.exe
"C:\Users\Admin\AppData\Local\Temp\38a868db74f08e1fc888b6afb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\38a868db74f08e1fc888b6afb.exe" "38a868db74f08e1fc888b6afb.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-54-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download