Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-12-2023 18:20
Behavioral task
behavioral1
Sample
03CFE21475FF1E4B334AD89DED81AE54.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
03CFE21475FF1E4B334AD89DED81AE54.exe
-
Size
23KB
-
MD5
03cfe21475ff1e4b334ad89ded81ae54
-
SHA1
885cd1d6782f12eba1a8b02ba5e380b43d724ac8
-
SHA256
b6634d60c4f33e8ff40efbbbddd098cc420fe12822c633752260e3b0e6d11307
-
SHA512
28361958762f5951c405f664e6891eca9fe735b791702db93599fbf34b50885d95dd8938784423ec4ccb50648a4f8350106b51d8082d43e65fa5371bf3bd9f56
-
SSDEEP
384:IcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZLp:330py6vhxaRpcnuG
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
03CFE21475FF1E4B334AD89DED81AE54.exedescription pid process Token: SeDebugPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 848 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 848 03CFE21475FF1E4B334AD89DED81AE54.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
03CFE21475FF1E4B334AD89DED81AE54.exedescription pid process target process PID 848 wrote to memory of 2620 848 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe PID 848 wrote to memory of 2620 848 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe PID 848 wrote to memory of 2620 848 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe PID 848 wrote to memory of 2620 848 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe"C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe" "03CFE21475FF1E4B334AD89DED81AE54.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-0-0x0000000074ED0000-0x000000007547B000-memory.dmpFilesize
5.7MB
-
memory/848-1-0x00000000001B0000-0x00000000001F0000-memory.dmpFilesize
256KB
-
memory/848-2-0x0000000074ED0000-0x000000007547B000-memory.dmpFilesize
5.7MB
-
memory/848-3-0x0000000074ED0000-0x000000007547B000-memory.dmpFilesize
5.7MB
-
memory/848-4-0x00000000001B0000-0x00000000001F0000-memory.dmpFilesize
256KB