17a1cec5b8ce358f8a0c43ac7a16292e2b455a79ba62aec1e24ac0a51427cf48

Analysis

Target

17a1cec5b8ce358f8a0c43ac7a16292e2b455a79ba62aec1e24ac0a51427cf48.exe
Size

125KB
MD5

51c57b0366d0b71acf05b4df0afef52f
SHA1

18fcd5ca1236e67c4526fb4b5e009be97bded8db
SHA256

17a1cec5b8ce358f8a0c43ac7a16292e2b455a79ba62aec1e24ac0a51427cf48
SHA512

b81b336ce8d9732307287e691fb6d678eab77a9a58423ee4c4ce6a5673a5bf26adbb6f4c282f867cad584c1b5ebf4c6c27ce530d3189b10a178ffe7adb5aaec6

Score

6^/10

persistence

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\new_bApp = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\photoview.exe"	17a1cec5b8ce358f8a0c43ac7a16292e2b455a79ba62aec1e24ac0a51427cf48.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	17a1cec5b8ce358f8a0c43ac7a16292e2b455a79ba62aec1e24ac0a51427cf48.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	17a1cec5b8ce358f8a0c43ac7a16292e2b455a79ba62aec1e24ac0a51427cf48.exe

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2764-117-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download