d0ec7df89e17c336e054aeb8dc433226fceff8dfc7d35f4f56dec398a6c1677e

Analysis

max time kernel
76s
max time network
86s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-07-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upgrade.exe
Size

13KB
MD5

fd4bf565af2154c5651a5d34bf993660
SHA1

4419971b7bf4fd32393707a5c18c66b19ffb46a0
SHA256

d0ec7df89e17c336e054aeb8dc433226fceff8dfc7d35f4f56dec398a6c1677e
SHA512

7b2c652f9d30cb434c57d11394e9d5c8267e923d2e3277ba643ae4560e7784eadee1911a6e2f9dd572cb812ed5924d0e61636ada2cb821b2e639a664da89d9f8
SSDEEP

192:MyM3mQn/knz2JA4GbfXi/VUktqq/Fb+pkVwpzRNca4a:MyM2Qn9C4GbfuVDqq1+Gw1Qa4

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	upgrade.exe

C:\Users\Admin\AppData\Local\Temp\upgrade.exe
"C:\Users\Admin\AppData\Local\Temp\upgrade.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4900-0-0x000000007322E000-0x000000007322F000-memory.dmp

Filesize
4KB

Download
memory/4900-1-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/4900-2-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/4900-4-0x000000007322E000-0x000000007322F000-memory.dmp

Filesize
4KB

Download
memory/4900-5-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/4900-9-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download