1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973

General

Target

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
Size

72KB
MD5

052ccfcaf3c8f4008d8cdd8c473c879c
SHA1

87d7f7484426a11b75b56e5057df507593cead93
SHA256

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973
SHA512

d989bbb902658873cdaae07271235f6801010960aac9be6237096274ef38b9a34d374e6534c57e5fc94837857c92f689cf05df397ee43fb50e3fdb9fb63cc398

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\host32.exe,"	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

description	pid	process	target process
PID 1304 set thread context of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

Drops file in Windows directory 2 IoCs

Processes:

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

description	ioc	process
File opened for modification	C:\Windows\host32.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
File created	C:\Windows\host32.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

pid	process
1344	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
1344	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

description pid process

Token: SeDebugPrivilege 1344 1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

description	pid	process
Token: SeDebugPrivilege	1344	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

description	pid	process	target process
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
PID 1304 wrote to memory of 1344	1304	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe	1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe

C:\Users\Admin\AppData\Local\Temp\1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
"C:\Users\Admin\AppData\Local\Temp\1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe
"C:\Users\Admin\AppData\Local\Temp\1283285b7d4791bacfcbd29c8d579785b75a636d1e1866d8219600a353bb8973.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1344-1-0x0000000000406D3B-mapping.dmp

Download
memory/1344-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads