a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe
Size

78KB
MD5

3428269702e97113f80c73eb1d723617
SHA1

7abbf2e444e1510d76c28878a77cc8c26823e880
SHA256

a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177
SHA512

78e3926fd0da30277bca685f3b2d7e1b02e90eb79933971631b7b73ceb04c826b5e78ca5a990f32e2c6601efc6c4252a9e3bec0ecc752ee722750a146defc241
SSDEEP

768:gG/aH2FxfWNxHmv/V7IW1INrMkG7gX5RBi6zzQda1As/yf8cnPSh8oHvCyEj:n1wHC/VphkG7O5H1zzQda6s/yfvX3

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia driver = "C:\\Users\\Admin\\AppData\\Roaming\\nvdisp.exe"	a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Nvidia driver = "C:\\Users\\Admin\\AppData\\Roaming\\nvdisp.exe"	a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4644	a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe

C:\Users\Admin\AppData\Local\Temp\a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe
"C:\Users\Admin\AppData\Local\Temp\a052fafe8781074c487055f6ca7096c132f030869cbe142677bf2ada6d37d177.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4644-132-0x00000000000C0000-0x00000000000DA000-memory.dmp

Filesize
104KB

Download
memory/4644-133-0x00000000051C0000-0x0000000005764000-memory.dmp

Filesize
5.6MB

Download
memory/4644-134-0x0000000004B20000-0x0000000004BB2000-memory.dmp

Filesize
584KB

Download
memory/4644-135-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download