Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 10:08
Behavioral task
behavioral1
Sample
So2CHEAT.exe
Resource
win7-20240215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
So2CHEAT.exe
Resource
win10v2004-20240221-en
5 signatures
150 seconds
General
-
Target
So2CHEAT.exe
-
Size
93KB
-
MD5
41e990ab2c6582fa78eec4de2c4d731d
-
SHA1
801410d19aa4b4d5dee2fff1c5644184125eb77c
-
SHA256
01e3c4e657ab9990d03eabcb3fe1fee29fe6d00611e2c0c51d632f6043a2d6ab
-
SHA512
9d4518c1ddfdf8370990251afc9f37b25b5f9b68b55f923c1ddc744882c03b7269cd2478e8e369f9e77a80c78e818d9d1c438c6f5194cf7f6267d99520de646b
-
SSDEEP
1536:FUwC+xhUa9urgOBPmNvM4jEwzGi1dDbDUgS:FUmUa9urgOkdGi1dDN
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1076 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 12 2.tcp.eu.ngrok.io -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1932 So2CHEAT.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe Token: 33 1932 So2CHEAT.exe Token: SeIncBasePriorityPrivilege 1932 So2CHEAT.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1076 1932 So2CHEAT.exe 86 PID 1932 wrote to memory of 1076 1932 So2CHEAT.exe 86 PID 1932 wrote to memory of 1076 1932 So2CHEAT.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\So2CHEAT.exe"C:\Users\Admin\AppData\Local\Temp\So2CHEAT.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\So2CHEAT.exe" "So2CHEAT.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1076
-