e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99

Analysis

Target

e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99.exe
Size

54KB
MD5

b67047e341653a01526cc178966d1f6c
SHA1

3f3c7f6bd905c476e76129e39a55ed0f955f77d0
SHA256

e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99
SHA512

ccc7ae3b2a725b23baf0a402fceda36df9e079b69c779b599a6c7a88a546f625cc05cc3f5cd5eb3226d459d297af98e5e126495a6c39934155de59d677a0079d

Score

6^/10

persistence

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidia_mainApp = "C:\\Users\\Admin\\AppData\\Roaming\\Skype\\skypeupdate.exe"	e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
864	e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99.exe
864	e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	e1134cbff0420854e6a84105f4dd5dea3b07ec77e120ba98df3bf1310afaff99.exe

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/864-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/864-56-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download