068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe

General

Target

068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Size

305KB
MD5

1b7df1a423ea6282063fd060266862c6
SHA1

b78873befbfc35d28efbe685c6b6ab858ba66174
SHA256

068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe
SHA512

7aafd159eb0d78d788d241a0635acee0f58e12f9be9faa8609bfee6f7f120f1a939604a41ce31558a0a978ce02545d929ae1b615b863ecb37d0cb5a89ed8d7a8
SSDEEP

6144:jJHGyoPwcMZAwSYQ1rL4OgbDetAfhiRdsLvOJ0tYRVlOPAKeJNO4:RGyoPwcMZhnQ1rL4OKDeMhi3sLv7cY4

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\3256DFC842BC3625698399\\3256DFC842BC3625698399.exe"	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeSecurityPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeTakeOwnershipPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeLoadDriverPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeSystemProfilePrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeSystemtimePrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeProfSingleProcessPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeIncBasePriorityPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeCreatePagefilePrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeBackupPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeRestorePrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeShutdownPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeDebugPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeSystemEnvironmentPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeRemoteShutdownPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeUndockPrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: SeManageVolumePrivilege	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: 33	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: 34	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
Token: 35	2828	068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe

C:\Users\Admin\AppData\Local\Temp\068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe
"C:\Users\Admin\AppData\Local\Temp\068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3256DFC842BC3625698399\3256DFC842BC3625698399.exe

Filesize
305KB

MD5
1b7df1a423ea6282063fd060266862c6

SHA1
b78873befbfc35d28efbe685c6b6ab858ba66174

SHA256
068b96ec2a520caf46a59385b9910b282cd240fd43840e20e3c367b7cd010cfe

SHA512
7aafd159eb0d78d788d241a0635acee0f58e12f9be9faa8609bfee6f7f120f1a939604a41ce31558a0a978ce02545d929ae1b615b863ecb37d0cb5a89ed8d7a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads