Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
diversion.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
diversion.exe
-
Size
2.7MB
-
MD5
4ae6ea73a7014e9eb84c810497048d26
-
SHA1
593729b89608ca8ced8e4526b4be063cc7f4692c
-
SHA256
60c1ae40c15f45a700c5da19164e60423f4054a9d644f079c7e431383031e578
-
SHA512
bf19e941cd87a3836b24c38f496aeebcef9516e1eb9debb483080b1a8ea69f940dd395c872ddc518c5cf5b8b3ea4cfe5b65cdefa9844827536d130e0ea5a3c22
-
SSDEEP
49152:Mjfx9WPCAIGJEDBa6NJaOT91Ne+6vj/s67uBzouECTAJ1OxWGXosIcUgnFSJsBGw:wfxkCAIGJH66w91NQ/sauqu5sDOhERUU
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4324 netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe Token: 33 3580 diversion.exe Token: SeIncBasePriorityPrivilege 3580 diversion.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4324 3580 diversion.exe 96 PID 3580 wrote to memory of 4324 3580 diversion.exe 96 PID 3580 wrote to memory of 4324 3580 diversion.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\diversion.exe"C:\Users\Admin\AppData\Local\Temp\diversion.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\diversion.exe" "diversion.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:4324
-