fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea

Analysis

max time kernel
28s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe
Size

28KB
MD5

39eedb8e874a2c41be0ed31a17210be3
SHA1

994c36ce3b5985dfd16ac5972793ebf37fbcfb82
SHA256

fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea
SHA512

d1829aeb4db678e600d75096db8bf870d8ec09882d239be77198620019aa3eb874c52a2475f0097bf46dcb2bc9b3651358265bddd33333dd8e285d42556a5e5e
SSDEEP

768:szel8k+A+qm84U+YNkTFU458IzYcHeImc:s49+qzuT958lI7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\TempReader = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\TempFile.exe"	fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

description pid process

Token: SeDebugPrivilege 1044 fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

pid process

1044 fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

description	pid	process
Token: SeDebugPrivilege	1044	fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

pid	process
1044	fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe

C:\Users\Admin\AppData\Local\Temp\fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe
"C:\Users\Admin\AppData\Local\Temp\fa8b9befac037bc7fd53e20d5f235cd93df6ca143a3c91bef3f5178574d530ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-55-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1044-56-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-57-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download