84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0

Analysis

max time kernel
140s
max time network
175s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe
Size

177KB
MD5

5a6bec1a9c38f6857525cca40f64b2ed
SHA1

7b930d3516d1396a4f374ee30339e2003714e51a
SHA256

84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0
SHA512

463df2bc985d32e852c6ad036cd1e5c403e188662ff9dde34037abf7c92b861c638411b53cf028ff267568244b145f2ec1dd015733c532c0d214c510d19f33b6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\ms_mainApp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\micrsosftWord.exe"	84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe

pid	Process
3468	84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe
3468	84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe

description	pid	Process
Token: SeDebugPrivilege	3468	84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe

C:\Users\Admin\AppData\Local\Temp\84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe
"C:\Users\Admin\AppData\Local\Temp\84fb5d99db36d869cf03b6b3c559fa976d0ea17e112e91596ddc0b0079a6b2e0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3468-115-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download