Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 17:27
Behavioral task
behavioral1
Sample
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Resource
win10v2004-20240412-en
General
-
Target
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
-
Size
93KB
-
MD5
627d146f44e901aa1bcd48effb3b788f
-
SHA1
8964f3c422dc04d0e71c7fe8439df4da708eeb3b
-
SHA256
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e
-
SHA512
91c3cb47d136166b11fd64c5efad4ce063197ea42de19dc74c9b557e82ec7b8f15b9dace70891259abd27d0775b8efccf089f34f44586350d383268568ae12c5
-
SSDEEP
768:lY31Um/o9eUVTsZ4E+rLDPQmJ/ewL54lLdJXn5513Sr2YxgXxrjEtCdnl2pi1RzC:yUeoZp/eM4LvFSrdqjEwzGi1dDcD/gS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2568 netsh.exe -
Drops startup file 2 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.exe 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.exe 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exepid process 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exedescription pid process Token: SeDebugPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exedescription pid process target process PID 1340 wrote to memory of 2568 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe PID 1340 wrote to memory of 2568 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe PID 1340 wrote to memory of 2568 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe PID 1340 wrote to memory of 2568 1340 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe"C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe"1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe" "5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1340-0-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1340-1-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1340-2-0x0000000000560000-0x00000000005A0000-memory.dmpFilesize
256KB
-
memory/1340-5-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1340-6-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1340-7-0x0000000000560000-0x00000000005A0000-memory.dmpFilesize
256KB