02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d

Analysis

max time kernel
153s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
Size

94KB
MD5

4297041e3a701ed8c01e40d6c54264a1
SHA1

23dcec87435af17e695c8612f1453d38950bc61d
SHA256

02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d
SHA512

9a97600714cd1b54705a093df9d705405dfc78480af635f18b37e907af83548ee7631742c0206f821bae8bd93af2c6b6920a43372a106f24493c282a16c0b4e2

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\ouwindows_defender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft_Windows\\windows_defender.exe"	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe

pid	Process
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe

description	pid	Process
Token: SeDebugPrivilege	1572	02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe

C:\Users\Admin\AppData\Local\Temp\02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe
"C:\Users\Admin\AppData\Local\Temp\02283ec4ecef511350c644689aadf37e5eaf1f4d0eac249e16baac0b1298ac8d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1572-55-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download