95094182dfdf51212b92c876fef1a796965814bb77bb514c33bbe4bc0ce3d34e | Triage

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
05-02-2021 14:48

Sharing

Report Analysis Logs

General

Target

ztgjaTAB.exe
Size

28KB
MD5

9c310afa34927179f09153add55767b6
SHA1

7a36199b70cd194ac5cd0d388c6d98e16a2821f8
SHA256

95094182dfdf51212b92c876fef1a796965814bb77bb514c33bbe4bc0ce3d34e
SHA512

e5d6fdc59a1bb81b45fdf5283eb6438c865d5700650ec36e4844c13cdd2437072d10907c8fc71a1319755313466aace4cc4445e05bf03abed7f91fb5632e956c

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ztgjaTAB.exe

description pid process

Token: SeDebugPrivilege 784 ztgjaTAB.exe
Token: SeDebugPrivilege 784 ztgjaTAB.exe

C:\Users\Admin\AppData\Local\Temp\ztgjaTAB.exe
"C:\Users\Admin\AppData\Local\Temp\ztgjaTAB.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/784-3-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/784-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download