6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
Size

447KB
MD5

a392b52999c5b9f13627bd4350c84963
SHA1

9426def3731dad91384299dd25b375ad96bc9300
SHA256

6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6
SHA512

3c345ebfeefd2ba4f6d626f4b7ad2a291551cf2fa6d326e04a0f6a9e753844cae618cd5f0ff696dd6f02d07630b07ae404b3effd6ba231328e7ed3267e72e329
SSDEEP

6144:4Ly84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXco6Z2:M+u9nx2GjMY3XKfd/H/9PL6Z2

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe"	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
1752	6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	explorer.exe

C:\Users\Admin\AppData\Local\Temp\6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe
"C:\Users\Admin\AppData\Local\Temp\6cd2646b8890aeb147789ea8c173ee091bc0d067f9a58dafdba75be6d807d6a6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1752-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download