f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe
Size

67KB
MD5

cb0768c89e83f2328952ba51e4d4b7f1
SHA1

dfff31642cddc28498df7e67682eef4a7647c61a
SHA256

f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808
SHA512

ed9c6b632c5de10459b60e50bb7560788e38631fe72ed05b210b5f449beb8d3c290769c5e74c2c4fe245baf2b5eb0f6717fc74d41b17dc06a0b68d2e5aecf60d

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\office_mainApp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft_Windows\\windows_defender.exe"	f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe

pid	Process
944	f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe
944	f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe

description	pid	Process
Token: SeDebugPrivilege	944	f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe

C:\Users\Admin\AppData\Local\Temp\f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe
"C:\Users\Admin\AppData\Local\Temp\f23142e54092231ccc04960598d8d17f3a79a5bf0719a9a0cb73c588afae3808.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-54-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/944-55-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download