1d860ee4908c63bfe75747a5ec9f292ca74882b07e1dca7b0366fd56e55c1e73

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52f61679772dca3040cb8c5b1a92dcdd.exe
Size

542KB
MD5

52f61679772dca3040cb8c5b1a92dcdd
SHA1

9da80f6605545f2b07e08e28b670eaf21a25f287
SHA256

1d860ee4908c63bfe75747a5ec9f292ca74882b07e1dca7b0366fd56e55c1e73
SHA512

fca01d78944631a0637e6936a514f57784bd5866bc6ff5a5a4f4d564e11b500b9aac6ef7f18dcb01574dc1185f366f9b9fdd0a766e02942006fb9d22dacee1ba
SSDEEP

6144:UXgTT6jreJIU0+McGEjO2R+JJU2dc/f+lzfJpISNaCKMcF1ZhNpuWD0t:tTxIC2EiAl+JpIMaCKtF1ZnfDG

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Display Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dispdrv.exe"	52f61679772dca3040cb8c5b1a92dcdd.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe
1888	52f61679772dca3040cb8c5b1a92dcdd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	52f61679772dca3040cb8c5b1a92dcdd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2696	1888	52f61679772dca3040cb8c5b1a92dcdd.exe	29
PID 1888 wrote to memory of 2696	1888	52f61679772dca3040cb8c5b1a92dcdd.exe	29
PID 1888 wrote to memory of 2696	1888	52f61679772dca3040cb8c5b1a92dcdd.exe	29

C:\Users\Admin\AppData\Local\Temp\52f61679772dca3040cb8c5b1a92dcdd.exe
"C:\Users\Admin\AppData\Local\Temp\52f61679772dca3040cb8c5b1a92dcdd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\winlogon.exe
  winlogon
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-0-0x000000001ACE0000-0x000000001AD72000-memory.dmp

Filesize
584KB

Download
memory/1888-1-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/1888-2-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/1888-3-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/1888-5-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download