301a6fb626b71f2e471121fbc36042dc31a720cb79d85842773a4d4cfeade1a2

Resubmissions

31/08/2023, 11:07

230831-m716gsec8s 10

Analysis

max time kernel
148s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31/08/2023, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dskjdfkjlfkjdjfldkjfldjfdServer.exe
Size

93KB
MD5

6c235ff3554af119cf5a38c0e519f5fb
SHA1

7457de3999900fa76a896ecd5d12ab09ab750dde
SHA256

301a6fb626b71f2e471121fbc36042dc31a720cb79d85842773a4d4cfeade1a2
SHA512

4be7c20f7ce89fbff64ca34cc115542e7492b0cfb22639828b1d4d23da7b77e2c988215e35b3b25de66a28e3cfff5ae69c1bdd3c0b24fa66b0d0f908043aeaae
SSDEEP

1536:6UNJD/HBZbszKu9AZpE7r1jEwzGi1dDoDqgS:6UUzK4AZCHCi1d2v

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2024	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: 33	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe
Token: SeIncBasePriorityPrivilege	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 2024	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe	69
PID 4596 wrote to memory of 2024	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe	69
PID 4596 wrote to memory of 2024	4596	dskjdfkjlfkjdjfldkjfldjfdServer.exe	69

C:\Users\Admin\AppData\Local\Temp\dskjdfkjlfkjdjfldkjfldjfdServer.exe
"C:\Users\Admin\AppData\Local\Temp\dskjdfkjlfkjdjfldkjfldjfdServer.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dskjdfkjlfkjdjfldkjfldjfdServer.exe" "dskjdfkjlfkjdjfldkjfldjfdServer.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-0-0x0000000073E60000-0x0000000074410000-memory.dmp

Filesize
5.7MB

Download
memory/4596-1-0x0000000073E60000-0x0000000074410000-memory.dmp

Filesize
5.7MB

Download
memory/4596-2-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/4596-4-0x0000000073E60000-0x0000000074410000-memory.dmp

Filesize
5.7MB

Download
memory/4596-5-0x0000000073E60000-0x0000000074410000-memory.dmp

Filesize
5.7MB

Download
memory/4596-6-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads