Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2023 01:13
Behavioral task
behavioral1
Sample
243e61e9274fdd1d62c9c2cefc5d0c57.exe
Resource
win7-20230712-en
5 signatures
150 seconds
General
-
Target
243e61e9274fdd1d62c9c2cefc5d0c57.exe
-
Size
23KB
-
MD5
243e61e9274fdd1d62c9c2cefc5d0c57
-
SHA1
8a915a682debbf969ed7917b5d26dd31e21786e8
-
SHA256
e162f5bb33843a8872968483555c053718bb9654c0641ccd393f4ddd08391e17
-
SHA512
813d2568d465822d90352651e91e91d1dcdfd2e5c47e4b851d9500ac819602f80602c8b4bfc149b741b684b833c908cf41dd91827e13f2cbb852c0b175c4605e
-
SSDEEP
384:MsqS+ER6vRKXGYKRWVSujUtX9w6Vglo61Z5DVmRvR6JZlbw8hqIusZzZU8:Tf65K2Yf1jMRpcnuO
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
243e61e9274fdd1d62c9c2cefc5d0c57.exedescription pid process Token: SeDebugPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: 33 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe Token: SeIncBasePriorityPrivilege 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
243e61e9274fdd1d62c9c2cefc5d0c57.exedescription pid process target process PID 1880 wrote to memory of 4616 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe netsh.exe PID 1880 wrote to memory of 4616 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe netsh.exe PID 1880 wrote to memory of 4616 1880 243e61e9274fdd1d62c9c2cefc5d0c57.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\243e61e9274fdd1d62c9c2cefc5d0c57.exe"C:\Users\Admin\AppData\Local\Temp\243e61e9274fdd1d62c9c2cefc5d0c57.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\243e61e9274fdd1d62c9c2cefc5d0c57.exe" "243e61e9274fdd1d62c9c2cefc5d0c57.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1880-133-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1880-134-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1880-135-0x0000000000CE0000-0x0000000000CF0000-memory.dmpFilesize
64KB
-
memory/1880-136-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1880-137-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1880-138-0x0000000000CE0000-0x0000000000CF0000-memory.dmpFilesize
64KB