85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239

Analysis

max time kernel
177s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
Size

204KB
MD5

00e04bde97d319b87ce73e1992ecf931
SHA1

3b84059e0aad09686fe31b08c86ae6b13c9ebbe3
SHA256

85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239
SHA512

550fc59571c164f5568c3d05ddcc16f790e50bda5aa2424ebd97b1368f3fdcbe7a8ed95276c2fcbc02dffa1e54e75617610788d6a41ae8bb094c874e8938031b
SSDEEP

3072:8hwVMQgpRh5qTsxyTDW2DQ8zK7dPLjNNRwQRmttOHXf:H2Rnh5EsIm2Ef7RNYQRmyXf

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
File opened for modification	C:\WINDOWS\V2011.exe	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe

C:\Users\Admin\AppData\Local\Temp\85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe
"C:\Users\Admin\AppData\Local\Temp\85db2bed51c8cbd42cbdcb96bf4d10678c74496fde95fe396a6c799103c19239.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...