921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766

Analysis

max time kernel
91s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Size

25KB
MD5

db9f922b7999fa8ea609c4c260e724d0
SHA1

8457bf31475077f654d020ac1c7fce9a424a4bd4
SHA256

921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766
SHA512

9aee84ae130dd78e01e311a19ffe583c75486dfdf28e067ca5081df584cc184f810d82ef496d2b1c5feb1ec0da98365a299e017ee94cd4ce51aa892aeb509cc9
SSDEEP

768:mddMm/3yuVR9ZEwhjlTpGf+iU3H8u+IheO17y5ra:mdS2L7pj2BGL+IheuCra

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeBackupPrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Token: SeRestorePrivilege	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1344	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe	81
PID 4928 wrote to memory of 1344	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe	81
PID 4928 wrote to memory of 1344	4928	921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe	81

C:\Users\Admin\AppData\Local\Temp\921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
"C:\Users\Admin\AppData\Local\Temp\921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4928-132-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4928-134-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download