Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-11-2021 18:42
Behavioral task
behavioral1
Sample
FB5CC233422DAB904074E1777E28631912A88B3046A68.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FB5CC233422DAB904074E1777E28631912A88B3046A68.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
FB5CC233422DAB904074E1777E28631912A88B3046A68.exe
-
Size
43KB
-
MD5
e4db9bf2d3ce9406e1339ed4119ac80e
-
SHA1
5351b8a10a515918cd0b7dd1e577ebbe48c531b2
-
SHA256
fb5cc233422dab904074e1777e28631912a88b3046a68e7a0963e1ac892ff259
-
SHA512
8bfc7b064d651aa76bf488f9b34e643aeb83d6e6f49b112106a6b90c71d210da8a9cae89f0484a5b5587e4b4801a44dc82464aa46ffd18ea7d8d37a6a2a6dce9
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
FB5CC233422DAB904074E1777E28631912A88B3046A68.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe FB5CC233422DAB904074E1777E28631912A88B3046A68.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe FB5CC233422DAB904074E1777E28631912A88B3046A68.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
FB5CC233422DAB904074E1777E28631912A88B3046A68.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FB5CC233422DAB904074E1777E28631912A88B3046A68.exe\" .." FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FB5CC233422DAB904074E1777E28631912A88B3046A68.exe\" .." FB5CC233422DAB904074E1777E28631912A88B3046A68.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
FB5CC233422DAB904074E1777E28631912A88B3046A68.exepid process 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
FB5CC233422DAB904074E1777E28631912A88B3046A68.exedescription pid process Token: SeDebugPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: 33 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe Token: SeIncBasePriorityPrivilege 4332 FB5CC233422DAB904074E1777E28631912A88B3046A68.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FB5CC233422DAB904074E1777E28631912A88B3046A68.exe"C:\Users\Admin\AppData\Local\Temp\FB5CC233422DAB904074E1777E28631912A88B3046A68.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4332-115-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB