7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca

General

Target

7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
Size

9KB
MD5

5a8ac8276fd31538a488f3deacb373bd
SHA1

0826f0798a1c617a9dae709f4ac8bfbf9d7e5e0c
SHA256

7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca
SHA512

e2a5305604eb7a7a6fa523d49a3f3316c472c4279a16c18c8d00efb61f94da46634f8b02c9a47ab4b93b56c0a7a5254dd978417d554085fb3a9dc485fc6540f1
SSDEEP

96:iBButsCr3ScglSzmQRFoVlrukcE2TYlnlYJnL0PBL0KffveVAGgY5HtDC2cqedFa:2B7SCBvlruV2nlYJLIBLTO/Ntycbx

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Users\\Admin\\AppData\\Roaming\\XTIcS\\ltc.exe"	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

pid	process
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

description pid process

Token: SeDebugPrivilege 1116 7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

description	pid	process
Token: SeDebugPrivilege	1116	7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe

C:\Users\Admin\AppData\Local\Temp\7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe
"C:\Users\Admin\AppData\Local\Temp\7c5cf8c65c373db149295f3bfea27714b17b1e46cfa30c471a30ac4e178fd0ca.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-132-0x00007FF86EA40000-0x00007FF86F476000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing