0e4c651aa1837f9dd5e0a5af273f6b55dddb3b9cdad49e9805471d91f2c1cfa0

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-01-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cont/bin/addport.bat
Size

249B
MD5

e2cbf1445a3138ad84853d055f5686fc
SHA1

1c1c6f03d2e1130e2afc1915007f22050639e734
SHA256

c3e626f73cddebc39d1bf0aa704738e39ea2119fa9fdcd5dda8153a1f0f10bb7
SHA512

915c72ba821ad669263bc71f5fad74dd49483bf310a4c4995875bd0fd5750f03fb2b730b3b3512411c32a195505e518161d8a8750a8367086cfbfa607e56c220

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2792	netsh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2792	2548	cmd.exe	29
PID 2548 wrote to memory of 2792	2548	cmd.exe	29
PID 2548 wrote to memory of 2792	2548	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cont\bin\addport.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\system32\netsh.exe
  netsh firewall add portopening protocol=tcp port=9000 name=╨í┼└│µ9000
  2⤵
  - Modifies Windows Firewall
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads