f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 02:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Size

413KB
MD5

a57958303a5049483258a2dc227b36eb
SHA1

6b4ae6a9a3644d19b42f61baf75e3ca194fad8a6
SHA256

f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c
SHA512

1b0aff1c261474ac502326e2a3f30120ab43603a44b2ddbccb60e03fb41a9c7654a8569f6fd8b938e16119dd84f9bdf59f6c506e6235f698690d24ede4277a68
SSDEEP

6144:HlisFUpX3pCxUeLjU/1g9vKcKvSrOMr1RbTK3hXFx:dJgOOW1RbOx

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe\" .."	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe\" .."	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: 33	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
Token: SeIncBasePriorityPrivilege	3032	f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe

C:\Users\Admin\AppData\Local\Temp\f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe
"C:\Users\Admin\AppData\Local\Temp\f1285fd0b7561a4606cf870af4123e9746582eef9cf3665868a3f7503e887e5c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-0-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-1-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-2-0x0000000000B60000-0x0000000000BA0000-memory.dmp

Filesize
256KB

Download
memory/3032-8-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-9-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-10-0x0000000000B60000-0x0000000000BA0000-memory.dmp

Filesize
256KB

Download