e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb

Analysis

max time kernel
36s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
Size

561KB
MD5

51f6e35ffa1001f01602b13863cdfba9
SHA1

5176cdb842e08e291c9de86ba02e633504fd54a7
SHA256

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb
SHA512

7b3510e10091af2641ecc9578a3bb13ba0911b248e06d75b3555d3b3189e57dc7669dc19050dce39ab260e97b322fc256ddb02ac0255f510ec9ca921751362d5

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\d3Tf23g9NOU34b3o\\QpBJrpMMewTU.exe\",explorer.exe"	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
Token: SeDebugPrivilege	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	28
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	28
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	28
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	28
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	29
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	29
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	29
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	29
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	30
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	30
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	30
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	30
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	31
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	31
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	31
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	31
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	32
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	32
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	32
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	32
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	33
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	33
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	33
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	33
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	34
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	34
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	34
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	34

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
  2⤵
  PID:580
- C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
  2⤵
  PID:624
- C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
  2⤵
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
  2⤵
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
  2⤵
  PID:864
- C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 652
  2⤵
  PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-58-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download