48c51dddfa0bca653fe6adc5c0508fe9ffdd38f297599027d1664e4a79ebff8a

Analysis

max time kernel
37s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71eb4c27855079bd19866cba9ef2c5f1.exe
Size

3.8MB
MD5

71eb4c27855079bd19866cba9ef2c5f1
SHA1

ba7f626452323d85f20fb796b6e6d435a979e9ec
SHA256

48c51dddfa0bca653fe6adc5c0508fe9ffdd38f297599027d1664e4a79ebff8a
SHA512

ddbda8e486e0db5143160037e906a76c34bb891194e2671f21ff4d82b1a5d14c81ded7a5dc3336e726e80e384e1948a0b79a5243a753dfac8c8cad5f465a1d5f
SSDEEP

49152:gXUIEeZzdeh/c7p1rNdd+JNEj0ykdj21x1YhFlX4bA/Hg/11VzeLG/7wqNKB2VIN:gXrEeZzdhjuV/gd1VzsGUqNKTHvQejR

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdefender = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Defender Updates\\msdefender.exe"	71eb4c27855079bd19866cba9ef2c5f1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe

Suspicious behavior: RenamesItself 7 IoCs

pid	Process
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	71eb4c27855079bd19866cba9ef2c5f1.exe
Token: SeShutdownPrivilege	1664	71eb4c27855079bd19866cba9ef2c5f1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1664	71eb4c27855079bd19866cba9ef2c5f1.exe
1664	71eb4c27855079bd19866cba9ef2c5f1.exe

C:\Users\Admin\AppData\Local\Temp\71eb4c27855079bd19866cba9ef2c5f1.exe
"C:\Users\Admin\AppData\Local\Temp\71eb4c27855079bd19866cba9ef2c5f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads