75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

Analysis

max time kernel
126s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan34295420.scr
Size

875KB
MD5

389ca41e54649946a7b8b1c15d0da2df
SHA1

3ce9137efc80c5e169cb9b0a200339fae09c1202
SHA256

75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA512

6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\windows.exe,"	reg.exe

Executes dropped EXE 6 IoCs

Processes:

windows.exewindows.exewindows.exewindows.exewindows.exewindows.exe

pid process

904 windows.exe
3180 windows.exe
3156 windows.exe
1712 windows.exe
1140 windows.exe
1000 windows.exe

pid	process
904	windows.exe
3180	windows.exe
3156	windows.exe
1712	windows.exe
1140	windows.exe
1000	windows.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

Scan34295420.scrwindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exe

pid	process
672	Scan34295420.scr
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
4068	windows.exe
904	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3180	windows.exe
3156	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1712	windows.exe
1140	windows.exe
1000	windows.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Scan34295420.scr

pid process

672 Scan34295420.scr

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Scan34295420.scrwindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exe

description	pid	process
Token: SeDebugPrivilege	672	Scan34295420.scr
Token: SeDebugPrivilege	4068	windows.exe
Token: SeDebugPrivilege	904	windows.exe
Token: SeDebugPrivilege	3180	windows.exe
Token: SeDebugPrivilege	3156	windows.exe
Token: SeDebugPrivilege	1712	windows.exe
Token: SeDebugPrivilege	1140	windows.exe
Token: SeDebugPrivilege	1000	windows.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Scan34295420.scrcmd.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exe

description	pid	process	target process
PID 672 wrote to memory of 3644	672	Scan34295420.scr	cmd.exe
PID 672 wrote to memory of 3644	672	Scan34295420.scr	cmd.exe
PID 672 wrote to memory of 3644	672	Scan34295420.scr	cmd.exe
PID 3644 wrote to memory of 496	3644	cmd.exe	reg.exe
PID 3644 wrote to memory of 496	3644	cmd.exe	reg.exe
PID 3644 wrote to memory of 496	3644	cmd.exe	reg.exe
PID 672 wrote to memory of 4068	672	Scan34295420.scr	windows.exe
PID 672 wrote to memory of 4068	672	Scan34295420.scr	windows.exe
PID 672 wrote to memory of 4068	672	Scan34295420.scr	windows.exe
PID 4068 wrote to memory of 904	4068	windows.exe	windows.exe
PID 4068 wrote to memory of 904	4068	windows.exe	windows.exe
PID 4068 wrote to memory of 904	4068	windows.exe	windows.exe
PID 904 wrote to memory of 3180	904	windows.exe	windows.exe
PID 904 wrote to memory of 3180	904	windows.exe	windows.exe
PID 904 wrote to memory of 3180	904	windows.exe	windows.exe
PID 3180 wrote to memory of 3156	3180	windows.exe	windows.exe
PID 3180 wrote to memory of 3156	3180	windows.exe	windows.exe
PID 3180 wrote to memory of 3156	3180	windows.exe	windows.exe
PID 3156 wrote to memory of 1712	3156	windows.exe	windows.exe
PID 3156 wrote to memory of 1712	3156	windows.exe	windows.exe
PID 3156 wrote to memory of 1712	3156	windows.exe	windows.exe
PID 1712 wrote to memory of 1140	1712	windows.exe	windows.exe
PID 1712 wrote to memory of 1140	1712	windows.exe	windows.exe
PID 1712 wrote to memory of 1140	1712	windows.exe	windows.exe
PID 1140 wrote to memory of 1000	1140	windows.exe	windows.exe
PID 1140 wrote to memory of 1000	1140	windows.exe	windows.exe
PID 1140 wrote to memory of 1000	1140	windows.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\Scan34295420.scr
"C:\Users\Admin\AppData\Local\Temp\Scan34295420.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\windows.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\windows.exe,"
3⤵
- Modifies WinLogon for persistence
PID:496

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windows.exe.log
MD5
9705333b1a0a11201517441312405a6f

SHA1
a15e1489065e75f6c8c09067b232968068e31389

SHA256
fc3f9b814d8531fb0794137aba3cc94437adab446b62a9efef25cd6855f7360f

SHA512
8621fcd7a33db7f15dd41871b06f8602b92ebe2aaf3631cf6c768db73988b6d8002c907c8b4c41bdd967426cdfea065ad1aef864ef8f82aa022e03df3fabe5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
389ca41e54649946a7b8b1c15d0da2df

SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202

SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95

Download Submit
memory/496-10-0x0000000000000000-mapping.dmp

Download
memory/672-11-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/672-6-0x0000000004860000-0x000000000487E000-memory.dmp

Filesize
120KB

Download
memory/672-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/672-5-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/672-7-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/672-8-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/672-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/904-25-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/904-21-0x0000000000000000-mapping.dmp

Download
memory/1000-77-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1140-67-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1140-64-0x0000000000000000-mapping.dmp

Download
memory/1712-54-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/3156-43-0x0000000000000000-mapping.dmp

Download
memory/3156-46-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/3180-33-0x0000000000000000-mapping.dmp

Download
memory/3180-35-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/3644-9-0x0000000000000000-mapping.dmp

Download
memory/4068-12-0x0000000000000000-mapping.dmp

Download
memory/4068-13-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads