Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2023 18:21
Behavioral task
behavioral1
Sample
03CFE21475FF1E4B334AD89DED81AE54.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
03CFE21475FF1E4B334AD89DED81AE54.exe
-
Size
23KB
-
MD5
03cfe21475ff1e4b334ad89ded81ae54
-
SHA1
885cd1d6782f12eba1a8b02ba5e380b43d724ac8
-
SHA256
b6634d60c4f33e8ff40efbbbddd098cc420fe12822c633752260e3b0e6d11307
-
SHA512
28361958762f5951c405f664e6891eca9fe735b791702db93599fbf34b50885d95dd8938784423ec4ccb50648a4f8350106b51d8082d43e65fa5371bf3bd9f56
-
SSDEEP
384:IcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZLp:330py6vhxaRpcnuG
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
03CFE21475FF1E4B334AD89DED81AE54.exedescription pid process Token: SeDebugPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: 33 4792 03CFE21475FF1E4B334AD89DED81AE54.exe Token: SeIncBasePriorityPrivilege 4792 03CFE21475FF1E4B334AD89DED81AE54.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
03CFE21475FF1E4B334AD89DED81AE54.exedescription pid process target process PID 4792 wrote to memory of 3972 4792 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe PID 4792 wrote to memory of 3972 4792 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe PID 4792 wrote to memory of 3972 4792 03CFE21475FF1E4B334AD89DED81AE54.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe"C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe" "03CFE21475FF1E4B334AD89DED81AE54.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4792-0-0x0000000074FB0000-0x0000000075561000-memory.dmpFilesize
5.7MB
-
memory/4792-1-0x0000000001270000-0x0000000001280000-memory.dmpFilesize
64KB
-
memory/4792-2-0x0000000074FB0000-0x0000000075561000-memory.dmpFilesize
5.7MB
-
memory/4792-3-0x0000000074FB0000-0x0000000075561000-memory.dmpFilesize
5.7MB
-
memory/4792-4-0x0000000001270000-0x0000000001280000-memory.dmpFilesize
64KB