Analysis

  • max time kernel
    299s
  • max time network
    321s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:28

Errors

Reason
Machine shutdown

General

  • Target

    chrome-assests/a.html

  • Size

    350B

  • MD5

    420b6966af9d8dfd4095737a873509a2

  • SHA1

    ef780ca200a3405e866d685ec9284c009219508a

  • SHA256

    e6a8fd43ffc04efccf17110152db69265190e18c9484de4cb82fd5e63cf264c3

  • SHA512

    3484c523ee19961dde0f89ebf5f3d99c8b000d63c68d82919fb1563c81f5959f6ef69b37d3ec952b40007b27d2ab436058fe4138ff784e254e267cc1de587033

Score
8/10

Malware Config

Signatures

  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\chrome-assests\a.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:728 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2704
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad4055 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

2
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
    MD5

    ffc04cd305e33221116feebf2eaa50b0

    SHA1

    6aeecd1a32ce6655a43e6b35cb2d0cb45876c9d4

    SHA256

    e0215011ac1136f278389a2a9b9572d9cdbb704f4a2a6d4b9cb8e99eba316de4

    SHA512

    ecd09a4db7f337f7b4b767edca0615262af8785c3dd85e6369037c04eda0865c59949a406e6e016ba8e893e7f740881be22909aa472ea6fd1c38aa3902979a01

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
    MD5

    d0fed8137d3086e5fa3996b9429cab16

    SHA1

    0a0cb88cd6a8a5f1163e5153092915d9fc58ab14

    SHA256

    018c6a27a9830895a6bbd16399448c085af3bc080cbd9b916f36bfa02e3750ef

    SHA512

    85a7ebaf91acfd160dbd3636c9fa76d2110092b853165dbfa310aa60112698cfeef8b185b6ec3e1768418e3b95f862a8cda10e3f8d521b58652d3acee095f1d1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OAOVPWL1.cookie
    MD5

    38967ac2c16342d1b55e4a4865b48cfc

    SHA1

    9a41bd3801e08255732ad5f383df3e2503848f47

    SHA256

    86f81ff33b9ff9174a200304863051ed24638411c4c1bfcec41ffec88adac281

    SHA512

    31f5b3fdd95a0b986e81ccd781a431b65d9c0c37fcef585137f2d3608a400b256a8c0ea0af76d122bcdb48a294d36a66d64d4c149dc2956dbbcd39bb73224d0f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VQVZ9MYT.cookie
    MD5

    0782a99a22445b9a71bbb0b9d39f000d

    SHA1

    b44704b15602e138ae0c4280f7bdb25af40379a0

    SHA256

    1cb4d604598e9b9b84170dfa6f8da8462967268de6413c4ac8d38f41e7e5ecd6

    SHA512

    86907ad2f4284be7f970b598959c0987e411a75322ff350c27986b17a982094556bd4a5c7c13910d5fd19c3716636e7493e70f16fa9c64ff7c7c743d097c74f0

  • memory/2704-0-0x0000000000000000-mapping.dmp