Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 01:29
Behavioral task
behavioral1
Sample
3331918a0568c0d815a272bbcd21497f.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
3331918a0568c0d815a272bbcd21497f.exe
Resource
win10v2004-20240221-en
3 signatures
150 seconds
General
-
Target
3331918a0568c0d815a272bbcd21497f.exe
-
Size
37KB
-
MD5
3331918a0568c0d815a272bbcd21497f
-
SHA1
31b093fea6e6447fb4c232faa6d04db2e8549199
-
SHA256
e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459
-
SHA512
27dbd0846d9f6e65909849b19bd4cec58f12477650b8bbae95bb8437ab5038e3f9029a3f5ef2cbaf55afa2b76ec1a367d9e3505a1d0047a880eb3d8d639b2024
-
SSDEEP
384:BLuf7WpgibTjpPu7w9qyMTczHPes2A7rbrAF+rMRTyN/0L+EcoinblneHQM3epza:EqNN9ZMTczWtAbrM+rMRa8Nuqnt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1128 netsh.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe Token: 33 3896 3331918a0568c0d815a272bbcd21497f.exe Token: SeIncBasePriorityPrivilege 3896 3331918a0568c0d815a272bbcd21497f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3896 wrote to memory of 1128 3896 3331918a0568c0d815a272bbcd21497f.exe 94 PID 3896 wrote to memory of 1128 3896 3331918a0568c0d815a272bbcd21497f.exe 94 PID 3896 wrote to memory of 1128 3896 3331918a0568c0d815a272bbcd21497f.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3331918a0568c0d815a272bbcd21497f.exe"C:\Users\Admin\AppData\Local\Temp\3331918a0568c0d815a272bbcd21497f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3331918a0568c0d815a272bbcd21497f.exe" "3331918a0568c0d815a272bbcd21497f.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1128
-