Analysis
-
max time kernel
299s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 23:04
Behavioral task
behavioral1
Sample
66666.exe
Resource
win7-20240221-en
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
66666.exe
Resource
win10v2004-20240221-en
4 signatures
300 seconds
General
-
Target
66666.exe
-
Size
93KB
-
MD5
5391f790fd71a00202e64b0b9aabd3e7
-
SHA1
b1645aa8d59fabada9f1ba0fbd9cbd8167793642
-
SHA256
feae432dd8804bc4193b1632ebf7fc5244f49408ba28462a944d90e0b200418a
-
SHA512
3ae4f82ac3ef7184b440afbbba4f6e552994eddc89a2d6f535b246cfd6351e1d9d84acdae11d8f751b7d53a845d127711b0c44e85533142bf152f93236d681c5
-
SSDEEP
768:MY33UYSgmnldjcRoMwrx7Y+DIkIITJbXX0pOtzux82WXxrjEtCdnl2pi1Rz4Rk3/:DUmmlbrq+1NTZrOojEwzGi1dDNDpgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2892 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2804 66666.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe Token: SeIncBasePriorityPrivilege 2804 66666.exe Token: 33 2804 66666.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2892 2804 66666.exe 28 PID 2804 wrote to memory of 2892 2804 66666.exe 28 PID 2804 wrote to memory of 2892 2804 66666.exe 28 PID 2804 wrote to memory of 2892 2804 66666.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\66666.exe"C:\Users\Admin\AppData\Local\Temp\66666.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\66666.exe" "66666.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2892
-