d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e

Analysis

max time kernel
61s
max time network
89s
platform
windows7_x64
resource
win7v20210408
submitted
18-07-2021 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
Size

113KB
MD5

9f8769cd10b22c6eb62f3f835e0bdb38
SHA1

963ce0420dc7ef8a5fa7cf8e538da70549c3963d
SHA256

d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e
SHA512

7b4ffcafc6b41c84f9fc603095b7bdc1235abf25825d64095fcb28b11aa7f7f5e50c87d1fdec920a32cb3144fbd99254c53a09ad01798c2d177322cba32f8707

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsecor = "C:\\ProgramData\\Mins\\mieces.exe"	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

pid	Process
1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

description	pid	Process
Token: SeDebugPrivilege	1672	D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-60-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1672-61-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download