c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0

Analysis

max time kernel
279s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
Size

155KB
MD5

8072023387d352d2b4e03367c74cfe3b
SHA1

4c902a40defe9f5710ee3d0a8c159cbcb32bd312
SHA256

c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0
SHA512

1e650d6bc0b6823c1fe11cbf214fb831d89db230b044c25c1591f3db765b261d6788c56d327398d0849c02e3ba695bbaa97d4176d01998bbf741e12385e52be1
SSDEEP

1536:NjHWUBjVLTfo9JUKFCBy2uvl/0yBjBwU0yHp2JWKucqP/J:Njtj5Tsd6mF0yBBVsxK/J

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe"	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
564	c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe

C:\Users\Admin\AppData\Local\Temp\c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe
"C:\Users\Admin\AppData\Local\Temp\c2c62672a22bc1ec87b403f5082205b85cb2346e5e85245bf6bff59fd9f6c2d0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-54-0x000007FEF4120000-0x000007FEF4B43000-memory.dmp

Filesize
10.1MB

Download
memory/564-55-0x000007FEF3080000-0x000007FEF4116000-memory.dmp

Filesize
16.6MB

Download
memory/564-56-0x0000000000116000-0x0000000000135000-memory.dmp

Filesize
124KB

Download