Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 10:08
Behavioral task
behavioral1
Sample
So2CHEAT.exe
Resource
win7-20240215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
So2CHEAT.exe
Resource
win10v2004-20240221-en
5 signatures
150 seconds
General
-
Target
So2CHEAT.exe
-
Size
93KB
-
MD5
41e990ab2c6582fa78eec4de2c4d731d
-
SHA1
801410d19aa4b4d5dee2fff1c5644184125eb77c
-
SHA256
01e3c4e657ab9990d03eabcb3fe1fee29fe6d00611e2c0c51d632f6043a2d6ab
-
SHA512
9d4518c1ddfdf8370990251afc9f37b25b5f9b68b55f923c1ddc744882c03b7269cd2478e8e369f9e77a80c78e818d9d1c438c6f5194cf7f6267d99520de646b
-
SSDEEP
1536:FUwC+xhUa9urgOBPmNvM4jEwzGi1dDbDUgS:FUmUa9urgOkdGi1dDN
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2636 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 2.tcp.eu.ngrok.io 4 2.tcp.eu.ngrok.io 6 2.tcp.eu.ngrok.io -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2260 So2CHEAT.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe Token: 33 2260 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 2260 So2CHEAT.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2636 2260 So2CHEAT.exe 28 PID 2260 wrote to memory of 2636 2260 So2CHEAT.exe 28 PID 2260 wrote to memory of 2636 2260 So2CHEAT.exe 28 PID 2260 wrote to memory of 2636 2260 So2CHEAT.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\So2CHEAT.exe"C:\Users\Admin\AppData\Local\Temp\So2CHEAT.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\So2CHEAT.exe" "So2CHEAT.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2636
-