bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c

Analysis

Target

bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c.exe
Size

170KB
MD5

214eb28f04d969c9f637b09e4ffad644
SHA1

b94a476a2ef9737e90c4c4c9ca10acbe57b87e3b
SHA256

bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c
SHA512

3efe0c464170947fe7fea30d4aecba2c0bb4d5e47f3d739fdbb6c9489357e971c719f2ccef45e5cfd7ec216a9b6ba63e259e23aa21d72b826af0eb2f0cb10fbf

Score

6^/10

persistence

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\ms_mainApp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winword.exe"	bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c.exe
1712	bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	bef7fe1a58535d2f940b8536ff6cf311d85a20288e83fb4fd3a7b4ab1bf2b69c.exe

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1712-54-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1712-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download