523190f1fd2e4a7be94f790ae040a3375460123f371077f20864aec61ea016f6

Analysis

max time kernel
65s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
20-01-2021 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

37d67bd746d37724222ec6c8f61d1a02
SHA1

ef202fb219bb84b2d860821a1ff213c4722fd90d
SHA256

523190f1fd2e4a7be94f790ae040a3375460123f371077f20864aec61ea016f6
SHA512

d5c571a1ec6ab63f8da91250e66bbc7cc6ae382e456a7f88f8a81ec711dae32333a30e653e8f613f1f6c3e0e67ec671a79ff066dc7e4034751eadabe3d416e2d

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe\""	file.exe

Drops startup file 2 IoCs

Processes:

file.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	file.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	file.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
PID:424

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-2-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/424-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/424-5-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/424-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/424-7-0x0000000004B00000-0x0000000004B2B000-memory.dmp

Filesize
172KB

Download
memory/424-8-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads