Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 06:59
Behavioral task
behavioral1
Sample
60676785893f285fca5a3dcf01eec2c0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
60676785893f285fca5a3dcf01eec2c0N.exe
Resource
win10v2004-20240704-en
General
-
Target
60676785893f285fca5a3dcf01eec2c0N.exe
-
Size
91KB
-
MD5
60676785893f285fca5a3dcf01eec2c0
-
SHA1
a4c05e8ab83af3168baa1d3a6c7cea2c30a4592c
-
SHA256
408fddc3984c29b164cbfde2894b25479209230707b6a66ff3d973cf9a1b050b
-
SHA512
4664529a81cd0cda358a453d78e6838b58dbf92fb94d43ef66c1359f6c61482f622309d033474cd71f069d0a8fcce70819563c2218e8dac41d3256c1c66b3083
-
SSDEEP
1536:+YTbkWWWipj69MME0n2ZXk+EkqVR1lphv:LTnqj69MIClJqVRBh
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5000 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3176 60676785893f285fca5a3dcf01eec2c0N.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: 33 3176 60676785893f285fca5a3dcf01eec2c0N.exe Token: SeIncBasePriorityPrivilege 3176 60676785893f285fca5a3dcf01eec2c0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3176 wrote to memory of 5000 3176 60676785893f285fca5a3dcf01eec2c0N.exe 86 PID 3176 wrote to memory of 5000 3176 60676785893f285fca5a3dcf01eec2c0N.exe 86 PID 3176 wrote to memory of 5000 3176 60676785893f285fca5a3dcf01eec2c0N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\60676785893f285fca5a3dcf01eec2c0N.exe"C:\Users\Admin\AppData\Local\Temp\60676785893f285fca5a3dcf01eec2c0N.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\60676785893f285fca5a3dcf01eec2c0N.exe" "60676785893f285fca5a3dcf01eec2c0N.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5000
-