af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3

Analysis

max time kernel
233s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3.exe
Size

100KB
MD5

a48c3d700f7d5eab4a0eaf2226184631
SHA1

b80cf4b03d92317028127f4088fde614f7edd33f
SHA256

af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3
SHA512

b3e42b03530c1a59783000b5419bbfb5de350fd399c3e5f7c6bb4589d46ff187f899b95c9f8812c72d422527026770043cd934b8fa83bf8e1c78d00f455a5a9e
SSDEEP

1536:zBshjA1mIliLvqFbAJAssy4ZB4aIOtQxrwBxcZPNKQIT6ukHQKEBqTov3eO:wj0N0LvAlZyNMqwxc3I6ukJEcTo/P

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pbspxbc.dll	af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1488	af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3.exe

C:\Users\Admin\AppData\Local\Temp\af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3.exe
"C:\Users\Admin\AppData\Local\Temp\af6001ee9e35758633aded9ee2f06ee7d8f0d434e4c2bfb64fa195574310f9d3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-57-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1488-54-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/1488-55-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1488-56-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download