4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45

Analysis

max time kernel
6s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe
Size

116KB
MD5

b39b33ae7ede8f836dc1cdfdcd5489b6
SHA1

1efd383de9e4db7950b51433d93cfb47a900ee5c
SHA256

4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45
SHA512

27738d61ed992908726250d170e6dc2200921aa108f9637a16435e54f48085a644848a0436da42f22146e03a556e8bd1164b01d3852f3f6822d23e04b865d0cc
SSDEEP

3072:X96lm06rv/2glOv/fLAFabL/1HZ9iYEl:X9/0IblOv/DCSd

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\System32\\WindowsUpdate.exe"	4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

pid process

1896 4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

description pid process

Token: SeDebugPrivilege 1896 4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

pid	process
1896	4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

description	pid	process
Token: SeDebugPrivilege	1896	4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe

C:\Users\Admin\AppData\Local\Temp\4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe
"C:\Users\Admin\AppData\Local\Temp\4ee3dd248d2fa027fb0970ef3f3bf8b9c78c3503e6b7e3e58d0a0a25e698ed45.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-54-0x000007FEF3D50000-0x000007FEF4773000-memory.dmp

Filesize
10.1MB

Download