d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04

General

Target

d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Size

25KB
MD5

a88e90735d00e914ac9762c48dd3a96d
SHA1

862b0d59940bcdc752fecfe74aaa67e7d70eb3ab
SHA256

d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04
SHA512

6c9e4eb1b0e63f793d540c0de2da75b1da8aed4a3c5de89b04677b339bdd5ca3b18b516c0f004305ed508a98f67014452cf993fd03deba5e58016c4c1e2410f3

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe\" .."	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe\" .."	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

pid process

4580 d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

pid	process
4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

description	pid	process
Token: SeDebugPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: 33	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
Token: SeIncBasePriorityPrivilege	4580	d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe

C:\Users\Admin\AppData\Local\Temp\d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe
"C:\Users\Admin\AppData\Local\Temp\d88a7cb863f1f923fabd02d62504953b92fa108556cea4248d1efaca5a4a7d04.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4580-130-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/4580-131-0x00007FF8BA280000-0x00007FF8BAD41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads