0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1eecde902cf9ae57bf9a0e1e25032e6.exe
Size

3.8MB
MD5

c1eecde902cf9ae57bf9a0e1e25032e6
SHA1

0e373286f2da046c6912f25160e0912496d02d84
SHA256

0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457
SHA512

011c171342593527c0259015376a96026c2d0cb6be2734d5b09a0a0aba4f2ff0641c9df2a67cb29a7ae193fbe1358d2e00a0125da9e449939973c680e6b96624
SSDEEP

98304:877Pmq33rE/JDLPWZADUGer7B6iY74M/HmlwXVZaFB:K+R/eZADUXR

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\NRT = "C:\\Users\\Admin\\AppData\\Local\\Solitare\\NRT.exe"	c1eecde902cf9ae57bf9a0e1e25032e6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe

Suspicious behavior: RenamesItself 30 IoCs

pid	Process
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
Token: SeShutdownPrivilege	2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe
2212	c1eecde902cf9ae57bf9a0e1e25032e6.exe

C:\Users\Admin\AppData\Local\Temp\c1eecde902cf9ae57bf9a0e1e25032e6.exe
"C:\Users\Admin\AppData\Local\Temp\c1eecde902cf9ae57bf9a0e1e25032e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads