bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104

Analysis

Target

bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104.exe
Size

96KB
MD5

e7ad33bb7c7af173c7a0b1f66ab4c7ae
SHA1

ea342e170658732483329218a6bd76d127ba39bb
SHA256

bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104
SHA512

580bd733735de5a3964b034274621fd9998d03ced2a6bb2590d75dcb1e025b4f54bbf76e282b5db4ed8303814c7c60ca06a31211940753202ee09fcebb255df0

Score

6^/10

persistence

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\exp_mainApp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\msdotnet.exe"	bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
952	bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104.exe
952	bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	bd1746091ff430fbb749fc11ae3374b45375303840379f98b2576ad5bfc94104.exe

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/952-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/952-56-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download