1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-08-2023 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe
Size

9.1MB
MD5

be6316296ea8eb5f9326f85e455dd2be
SHA1

6c3c735fd9f352d165039ba09ee88b4e7a9b357f
SHA256

1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f
SHA512

9f5eca80461bf2eea5bbd644c5ccd40cc228ba0aded4d318540bf1529654d682d525f4df0fdbe23d643fbf679c3a2f0c92a0b7f3bc886c09c19f23873531c137
SSDEEP

98304:HxpgplG4v7N1vCjbpCa/tX1svhcHFgLcWE/HVgFjxG7Ex5qHemj5v/qBg7/GIM7F:I/VCUvKrWEWFI5j0A/GR

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2568	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe
2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe
2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1288	2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe	28
PID 2184 wrote to memory of 1288	2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe	28
PID 2184 wrote to memory of 1288	2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe	28
PID 2184 wrote to memory of 1288	2184	1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe	28
PID 1288 wrote to memory of 2568	1288	cmd.exe	30
PID 1288 wrote to memory of 2568	1288	cmd.exe	30
PID 1288 wrote to memory of 2568	1288	cmd.exe	30
PID 1288 wrote to memory of 2568	1288	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe
"C:\Users\Admin\AppData\Local\Temp\1b96996e7da56619945fbc5bc29df0d5c60719cc5dcc63646e79ab5474e3b37f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c NetSh Advfirewall set allprofiles state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads