Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 01:29
Behavioral task
behavioral1
Sample
3331918a0568c0d815a272bbcd21497f.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
3331918a0568c0d815a272bbcd21497f.exe
Resource
win10v2004-20240221-en
3 signatures
150 seconds
General
-
Target
3331918a0568c0d815a272bbcd21497f.exe
-
Size
37KB
-
MD5
3331918a0568c0d815a272bbcd21497f
-
SHA1
31b093fea6e6447fb4c232faa6d04db2e8549199
-
SHA256
e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459
-
SHA512
27dbd0846d9f6e65909849b19bd4cec58f12477650b8bbae95bb8437ab5038e3f9029a3f5ef2cbaf55afa2b76ec1a367d9e3505a1d0047a880eb3d8d639b2024
-
SSDEEP
384:BLuf7WpgibTjpPu7w9qyMTczHPes2A7rbrAF+rMRTyN/0L+EcoinblneHQM3epza:EqNN9ZMTczWtAbrM+rMRa8Nuqnt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2920 netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe Token: 33 2112 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 2112 3331918a0568c0d815a272bbcd21497f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2920 2112 3331918a0568c0d815a272bbcd21497f.exe 28 PID 2112 wrote to memory of 2920 2112 3331918a0568c0d815a272bbcd21497f.exe 28 PID 2112 wrote to memory of 2920 2112 3331918a0568c0d815a272bbcd21497f.exe 28 PID 2112 wrote to memory of 2920 2112 3331918a0568c0d815a272bbcd21497f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3331918a0568c0d815a272bbcd21497f.exe"C:\Users\Admin\AppData\Local\Temp\3331918a0568c0d815a272bbcd21497f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3331918a0568c0d815a272bbcd21497f.exe" "3331918a0568c0d815a272bbcd21497f.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2920
-