Analysis
-
max time kernel
117s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 06:59
Behavioral task
behavioral1
Sample
60676785893f285fca5a3dcf01eec2c0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
60676785893f285fca5a3dcf01eec2c0N.exe
Resource
win10v2004-20240704-en
General
-
Target
60676785893f285fca5a3dcf01eec2c0N.exe
-
Size
91KB
-
MD5
60676785893f285fca5a3dcf01eec2c0
-
SHA1
a4c05e8ab83af3168baa1d3a6c7cea2c30a4592c
-
SHA256
408fddc3984c29b164cbfde2894b25479209230707b6a66ff3d973cf9a1b050b
-
SHA512
4664529a81cd0cda358a453d78e6838b58dbf92fb94d43ef66c1359f6c61482f622309d033474cd71f069d0a8fcce70819563c2218e8dac41d3256c1c66b3083
-
SSDEEP
1536:+YTbkWWWipj69MME0n2ZXk+EkqVR1lphv:LTnqj69MIClJqVRBh
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2204 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1048 60676785893f285fca5a3dcf01eec2c0N.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 1048 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 1048 60676785893f285fca5a3dcf01eec2c0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2204 1048 60676785893f285fca5a3dcf01eec2c0N.exe 30 PID 1048 wrote to memory of 2204 1048 60676785893f285fca5a3dcf01eec2c0N.exe 30 PID 1048 wrote to memory of 2204 1048 60676785893f285fca5a3dcf01eec2c0N.exe 30 PID 1048 wrote to memory of 2204 1048 60676785893f285fca5a3dcf01eec2c0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\60676785893f285fca5a3dcf01eec2c0N.exe"C:\Users\Admin\AppData\Local\Temp\60676785893f285fca5a3dcf01eec2c0N.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\60676785893f285fca5a3dcf01eec2c0N.exe" "60676785893f285fca5a3dcf01eec2c0N.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2204
-