Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:44
Static task
static1
Behavioral task
behavioral1
Sample
uncategorized_9.0.0.2.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
uncategorized_9.0.0.2.vir.exe
Resource
win10v200430
General
-
Target
uncategorized_9.0.0.2.vir.exe
-
Size
224KB
-
MD5
3706da30e1fc51212ae95aff2fae57ad
-
SHA1
72029dca348d3fa4faa43d9999fa1b744bb559cd
-
SHA256
19d32c1fc7c6fa9a5924aeb6ce69d8e5211c3e458eb51178171e0c75f129c48a
-
SHA512
0d8ae837a6e0a0f9ad582fb94b5a997d30066194f8428e77bdfa2cbe2669dbaa3784752ea41e354c9806bde1792392d930c0d365522f4f0cc762595e00b16897
Malware Config
Signatures
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 2 IoCs
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe -
Executes dropped EXE 2 IoCs
Processes:
dyis.exedyis.exepid process 1044 dyis.exe 928 dyis.exe -
Processes:
IEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{405126D1-C9F8-11EA-8E31-CE94C9E5ACDD} = "0" IEXPLORE.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dyis.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run dyis.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\|7A0C12AB-3521-1C1B-7539-5CD2A54C915A} = "C:\\Users\\Admin\\AppData\\Roaming\\Rihano\\dyis.exe" dyis.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
uncategorized_9.0.0.2.vir.exeLogonUI.exedescription pid process Token: SeSecurityPrivilege 1496 uncategorized_9.0.0.2.vir.exe Token: SeShutdownPrivilege 924 LogonUI.exe Token: SeShutdownPrivilege 924 LogonUI.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1484 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
IEXPLORE.EXEpid process 1340 IEXPLORE.EXE 1340 IEXPLORE.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
uncategorized_9.0.0.2.vir.exedyis.exedescription pid process target process PID 1464 set thread context of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1044 set thread context of 928 1044 dyis.exe dyis.exe -
Loads dropped DLL 2 IoCs
Processes:
uncategorized_9.0.0.2.vir.exepid process 1496 uncategorized_9.0.0.2.vir.exe 1496 uncategorized_9.0.0.2.vir.exe -
Suspicious behavior: EnumeratesProcesses 875 IoCs
Processes:
dyis.exepid process 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe 928 dyis.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
winlogon.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe -
Suspicious use of WriteProcessMemory 76 IoCs
Processes:
uncategorized_9.0.0.2.vir.exeuncategorized_9.0.0.2.vir.exedyis.exedyis.exeiexplore.exeIEXPLORE.EXEcsrss.exedescription pid process target process PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1464 wrote to memory of 1496 1464 uncategorized_9.0.0.2.vir.exe uncategorized_9.0.0.2.vir.exe PID 1496 wrote to memory of 1044 1496 uncategorized_9.0.0.2.vir.exe dyis.exe PID 1496 wrote to memory of 1044 1496 uncategorized_9.0.0.2.vir.exe dyis.exe PID 1496 wrote to memory of 1044 1496 uncategorized_9.0.0.2.vir.exe dyis.exe PID 1496 wrote to memory of 1044 1496 uncategorized_9.0.0.2.vir.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1044 wrote to memory of 928 1044 dyis.exe dyis.exe PID 1496 wrote to memory of 1484 1496 uncategorized_9.0.0.2.vir.exe cmd.exe PID 1496 wrote to memory of 1484 1496 uncategorized_9.0.0.2.vir.exe cmd.exe PID 1496 wrote to memory of 1484 1496 uncategorized_9.0.0.2.vir.exe cmd.exe PID 1496 wrote to memory of 1484 1496 uncategorized_9.0.0.2.vir.exe cmd.exe PID 928 wrote to memory of 1092 928 dyis.exe taskhost.exe PID 928 wrote to memory of 1092 928 dyis.exe taskhost.exe PID 928 wrote to memory of 1092 928 dyis.exe taskhost.exe PID 928 wrote to memory of 1092 928 dyis.exe taskhost.exe PID 928 wrote to memory of 1092 928 dyis.exe taskhost.exe PID 928 wrote to memory of 1180 928 dyis.exe Dwm.exe PID 928 wrote to memory of 1180 928 dyis.exe Dwm.exe PID 928 wrote to memory of 1180 928 dyis.exe Dwm.exe PID 928 wrote to memory of 1180 928 dyis.exe Dwm.exe PID 928 wrote to memory of 1180 928 dyis.exe Dwm.exe PID 928 wrote to memory of 1228 928 dyis.exe Explorer.EXE PID 928 wrote to memory of 1228 928 dyis.exe Explorer.EXE PID 928 wrote to memory of 1228 928 dyis.exe Explorer.EXE PID 928 wrote to memory of 1228 928 dyis.exe Explorer.EXE PID 928 wrote to memory of 1228 928 dyis.exe Explorer.EXE PID 928 wrote to memory of 784 928 dyis.exe DllHost.exe PID 928 wrote to memory of 784 928 dyis.exe DllHost.exe PID 928 wrote to memory of 784 928 dyis.exe DllHost.exe PID 928 wrote to memory of 784 928 dyis.exe DllHost.exe PID 928 wrote to memory of 784 928 dyis.exe DllHost.exe PID 928 wrote to memory of 1484 928 dyis.exe cmd.exe PID 928 wrote to memory of 1484 928 dyis.exe cmd.exe PID 928 wrote to memory of 1484 928 dyis.exe cmd.exe PID 928 wrote to memory of 1484 928 dyis.exe cmd.exe PID 928 wrote to memory of 1484 928 dyis.exe cmd.exe PID 928 wrote to memory of 1900 928 dyis.exe iexplore.exe PID 928 wrote to memory of 1900 928 dyis.exe iexplore.exe PID 928 wrote to memory of 1900 928 dyis.exe iexplore.exe PID 928 wrote to memory of 1900 928 dyis.exe iexplore.exe PID 1900 wrote to memory of 1340 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 1340 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 1340 1900 iexplore.exe IEXPLORE.EXE PID 1900 wrote to memory of 1340 1900 iexplore.exe IEXPLORE.EXE PID 1340 wrote to memory of 1660 1340 IEXPLORE.EXE IEXPLORE.EXE PID 1340 wrote to memory of 1660 1340 IEXPLORE.EXE IEXPLORE.EXE PID 1340 wrote to memory of 1660 1340 IEXPLORE.EXE IEXPLORE.EXE PID 1340 wrote to memory of 1660 1340 IEXPLORE.EXE IEXPLORE.EXE PID 2032 wrote to memory of 924 2032 csrss.exe LogonUI.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exeC:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe"C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Rihano\dyis.exeC:\Users\Admin\AppData\Roaming\Rihano\dyis.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\iexplore.exeiexplore.exe -k "about:blank"6⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -k "about:blank"7⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:28⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpba3a5369.bat"4⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpba3a5369.bat
-
C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
-
C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
-
C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
-
\Users\Admin\AppData\Roaming\Rihano\dyis.exe
-
\Users\Admin\AppData\Roaming\Rihano\dyis.exe
-
memory/328-21-0x0000000001DB0000-0x0000000001DB1000-memory.dmpFilesize
4KB
-
memory/924-19-0x0000000000000000-mapping.dmp
-
memory/928-9-0x0000000000410440-mapping.dmp
-
memory/1044-5-0x0000000000000000-mapping.dmp
-
memory/1340-16-0x0000000000000000-mapping.dmp
-
memory/1484-12-0x0000000000000000-mapping.dmp
-
memory/1484-14-0x0000000000000000-mapping.dmp
-
memory/1496-0-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1496-2-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1496-1-0x0000000000410440-mapping.dmp
-
memory/1660-17-0x0000000000000000-mapping.dmp
-
memory/1844-18-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1900-15-0x0000000000000000-mapping.dmp