06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c

Analysis

Target

06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c.exe
Size

88KB
MD5

5371d2984cbd1ae8283f9ae9eeee718d
SHA1

7ddd331686d6b26dc779645a51c7f7eabb655a74
SHA256

06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c
SHA512

18bddf4ab2338f414c13273c588a55c7e6861a6debca8e4540e82e050204e9aff6a137cf997e2131c6f716d82ebabaa24bedcb5489640209d603c944a2d65450

Score

6^/10

persistence

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\office_mainApp = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftDefender\\microsoftDefender.exe"	06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1212	06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c.exe
1212	06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	06158ea9684f86faee3e0d09810f78f1c9be304f92a9d13cf908995dec12741c.exe

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1212-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1212-55-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download