28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe
Size

7KB
MD5

0cac1aacdd9e7445d1930f43aa2d5c7b
SHA1

61dd9d21246118873318966e0d545920188b93d0
SHA256

28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca
SHA512

70a6c2b1c3e88bd79800254c8c6fd4caae4a28a9b0494459fce564e3217f22d2bf3a6c69d25e166cd13a3909698cf2368de8801def23f889261d9d2145ecb9fa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\downloader.exe"	28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4660	3748	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe

pid	Process
3748	28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe

description	pid	Process
Token: SeDebugPrivilege	3748	28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe

C:\Users\Admin\AppData\Local\Temp\28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe
"C:\Users\Admin\AppData\Local\Temp\28ce5de07e027e7ed408b31c97a8f376f32b55c931a3b5514f4c1792d8875fca.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1760
  2⤵
  - Program crash
  PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3748 -ip 3748
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3748-130-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download