Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:20
Behavioral task
behavioral1
Sample
testme.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
testme.exe
Resource
win10v2004-20241007-en
General
-
Target
testme.exe
-
Size
93KB
-
MD5
007cc72f39b8261fda0d3ca9054f46bc
-
SHA1
7a2d2aaa860bced45ebdaa41eba3412c715d27fd
-
SHA256
b10f27a30807f8c7e6cd91d168b092a03768882b77b2122e5598f01a5c04c0c7
-
SHA512
2b1894aea4345bb81fa34ddad67e995b1050cbe57760ba3437733f0a7ecf3832e58bbf3cf655254c5744f13e3aa0f56ed891ab4e8d3c715aaa454ac49a565dfc
-
SSDEEP
1536:7x7QHRsXQQEtQnHRegjEwzGi1dDXDtgS:7xrXQQEtQnxexi1dX6
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2544 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language testme.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2220 testme.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe Token: 33 2220 testme.exe Token: SeIncBasePriorityPrivilege 2220 testme.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2544 2220 testme.exe 29 PID 2220 wrote to memory of 2544 2220 testme.exe 29 PID 2220 wrote to memory of 2544 2220 testme.exe 29 PID 2220 wrote to memory of 2544 2220 testme.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\testme.exe"C:\Users\Admin\AppData\Local\Temp\testme.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\testme.exe" "testme.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2544
-