Analysis
-
max time kernel
208s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 20:17
General
-
Target
Client.exe
-
Size
31KB
-
MD5
c681d81f57698fa19d01ca73f6bbcb1f
-
SHA1
4348315502f691f6e67827558c12e1dd411253b6
-
SHA256
02b521d5e6e067a04c04ec17e6b024cd14788c7df268540d8e68ee98023d9430
-
SHA512
a4472d4930f1c0e07003fa5218fd4bfd8aad65764e709706e0a7af0ac13df46271e1881e826543adfc7089d596d2baacd542ff16600e9080b669438c4b29c013
-
SSDEEP
768:IXJEpBZhjzOzx5+R4s/Hu56HdAbiTinvaTQmIDUu0tiT9j:XD6uukAbiT6oQVk8j
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3156 netsh.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe Token: 33 4988 Client.exe Token: SeIncBasePriorityPrivilege 4988 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4988 wrote to memory of 3156 4988 Client.exe 100 PID 4988 wrote to memory of 3156 4988 Client.exe 100 PID 4988 wrote to memory of 3156 4988 Client.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:3156
-