Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 17:27
Behavioral task
behavioral1
Sample
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
Resource
win10v2004-20240412-en
General
-
Target
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe
-
Size
93KB
-
MD5
627d146f44e901aa1bcd48effb3b788f
-
SHA1
8964f3c422dc04d0e71c7fe8439df4da708eeb3b
-
SHA256
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e
-
SHA512
91c3cb47d136166b11fd64c5efad4ce063197ea42de19dc74c9b557e82ec7b8f15b9dace70891259abd27d0775b8efccf089f34f44586350d383268568ae12c5
-
SSDEEP
768:lY31Um/o9eUVTsZ4E+rLDPQmJ/ewL54lLdJXn5513Sr2YxgXxrjEtCdnl2pi1RzC:yUeoZp/eM4LvFSrdqjEwzGi1dDcD/gS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4456 netsh.exe -
Drops startup file 2 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.exe 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsofts.exe 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exepid process 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exedescription pid process Token: SeDebugPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: 33 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe Token: SeIncBasePriorityPrivilege 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exedescription pid process target process PID 228 wrote to memory of 4456 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe PID 228 wrote to memory of 4456 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe PID 228 wrote to memory of 4456 228 5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe"C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe"1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe" "5b45188cebe24c4309d3d884cb92bc5d9466e9dd8fa57f670b0008931e18562e.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/228-0-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/228-1-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/228-2-0x0000000000CB0000-0x0000000000CC0000-memory.dmpFilesize
64KB
-
memory/228-5-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/228-6-0x00000000749C0000-0x0000000074F71000-memory.dmpFilesize
5.7MB
-
memory/228-7-0x0000000000CB0000-0x0000000000CC0000-memory.dmpFilesize
64KB