Analysis
-
max time kernel
144s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
diversion.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
diversion.exe
-
Size
2.7MB
-
MD5
4ae6ea73a7014e9eb84c810497048d26
-
SHA1
593729b89608ca8ced8e4526b4be063cc7f4692c
-
SHA256
60c1ae40c15f45a700c5da19164e60423f4054a9d644f079c7e431383031e578
-
SHA512
bf19e941cd87a3836b24c38f496aeebcef9516e1eb9debb483080b1a8ea69f940dd395c872ddc518c5cf5b8b3ea4cfe5b65cdefa9844827536d130e0ea5a3c22
-
SSDEEP
49152:Mjfx9WPCAIGJEDBa6NJaOT91Ne+6vj/s67uBzouECTAJ1OxWGXosIcUgnFSJsBGw:wfxkCAIGJH66w91NQ/sauqu5sDOhERUU
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3068 netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe Token: 33 2280 diversion.exe Token: SeIncBasePriorityPrivilege 2280 diversion.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2280 wrote to memory of 3068 2280 diversion.exe 28 PID 2280 wrote to memory of 3068 2280 diversion.exe 28 PID 2280 wrote to memory of 3068 2280 diversion.exe 28 PID 2280 wrote to memory of 3068 2280 diversion.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\diversion.exe"C:\Users\Admin\AppData\Local\Temp\diversion.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\diversion.exe" "diversion.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:3068
-