Analysis
-
max time kernel
155s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2023 21:01
Behavioral task
behavioral1
Sample
33DD87541BC8AC254706571995F70E18.exe
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
General
-
Target
33DD87541BC8AC254706571995F70E18.exe
-
Size
23KB
-
MD5
33dd87541bc8ac254706571995f70e18
-
SHA1
bae5b770ca714de85ec789c5b5de2d0cb7e7483d
-
SHA256
4f7f672a899e6bdbb5b3352fc359cc426fe7053fcfa53036a48572bac7df36ef
-
SHA512
ca30a65b0ac564d26b9af1a155a5eba03acfc9aded02f452fd84115d62287b2003cef7c47a707f6ed94e0540962df53a4fe36907b63c188db90e0ee061cc8dea
-
SSDEEP
384:J8aZYC9twBNdcvFaly2H0dVJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZ93Q:RY+sNKqNHFSdRpcnud
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
33DD87541BC8AC254706571995F70E18.exedescription pid process Token: SeDebugPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe Token: 33 4256 33DD87541BC8AC254706571995F70E18.exe Token: SeIncBasePriorityPrivilege 4256 33DD87541BC8AC254706571995F70E18.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
33DD87541BC8AC254706571995F70E18.exedescription pid process target process PID 4256 wrote to memory of 4008 4256 33DD87541BC8AC254706571995F70E18.exe netsh.exe PID 4256 wrote to memory of 4008 4256 33DD87541BC8AC254706571995F70E18.exe netsh.exe PID 4256 wrote to memory of 4008 4256 33DD87541BC8AC254706571995F70E18.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33DD87541BC8AC254706571995F70E18.exe"C:\Users\Admin\AppData\Local\Temp\33DD87541BC8AC254706571995F70E18.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\33DD87541BC8AC254706571995F70E18.exe" "33DD87541BC8AC254706571995F70E18.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:4008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4256-0-0x0000000074B00000-0x00000000750B1000-memory.dmpFilesize
5.7MB
-
memory/4256-1-0x0000000074B00000-0x00000000750B1000-memory.dmpFilesize
5.7MB
-
memory/4256-2-0x0000000001440000-0x0000000001450000-memory.dmpFilesize
64KB
-
memory/4256-3-0x0000000074B00000-0x00000000750B1000-memory.dmpFilesize
5.7MB
-
memory/4256-4-0x0000000001440000-0x0000000001450000-memory.dmpFilesize
64KB