56fd163108e6e2a9e2f7cfd15898f61d5b8d435ed839d1e29b70c040998eedcf

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 08:28

Target

Dekont_20220926155607 pdf.exe
Size

11KB
MD5

98ec95d07881fe20943c648fc17a4884
SHA1

4caeeacf2e4dcac911f64a20b00388f96e9adc7e
SHA256

56fd163108e6e2a9e2f7cfd15898f61d5b8d435ed839d1e29b70c040998eedcf
SHA512

ac4e2b370b3880cdc6a67f9978c4f82fe3686d9ccb6bfc580a233721d7befc8709ddb056c76d8db369bdf7f2c49f6a0ab65e3e3c75f041ebde18a7761e1f7f48
SSDEEP

192:yMZ3k3osS0Otg03xoVjn9GprrrrrrrrrrrrrrrrrrrreKp:yMZ04s7OSaxoVwprrrrrrrrrrrrrrrrh

Score

9^/10

discovery

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Dekont_20220926155607 pdf.exe

description pid process

Token: SeDebugPrivilege 1604 Dekont_20220926155607 pdf.exe

description	pid	process
Token: SeDebugPrivilege	1604	Dekont_20220926155607 pdf.exe

C:\Users\Admin\AppData\Local\Temp\Dekont_20220926155607 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont_20220926155607 pdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1604-54-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/1604-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download