2737636e7f7223317dc5706c4d69b4d9b0bc9a15c89658c3ce67566f18665eb7

General

Target

2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Size

72KB
MD5

1c298039c674d1243bffd7189636b229
SHA1

305a79eb4d2c48edc2c11765b1d6e8b418d74fef
SHA256

2737636e7f7223317dc5706c4d69b4d9b0bc9a15c89658c3ce67566f18665eb7
SHA512

174d50913a54e4c0d430a5dc932e899ed544482703bb7a5065086d5f1ca14fbbfb75dd3d12725c186443b60ebde6d8114b6c017e78071497ca6345f91991dec8
SSDEEP

384:ZZyLHIYz/wpa9GP4Uy2vXy2m4M4SlhUrl9D9O5UE5QzwBlpJNakkjh/TzF7pWnyV:7EIKR4gh2vyVcS+wvQO+Dt+L

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe\" .."	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe\" .."	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

pid process

4596 2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

pid	process
4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

description	pid	process
Token: SeDebugPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: 33	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
Token: SeIncBasePriorityPrivilege	4596	2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2040-8-0x0000000001E80000-0x0000000001E92000-memory.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-0-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-1-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-2-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/4596-4-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-5-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads