e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb

General

Target

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
Size

561KB
MD5

51f6e35ffa1001f01602b13863cdfba9
SHA1

5176cdb842e08e291c9de86ba02e633504fd54a7
SHA256

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb
SHA512

7b3510e10091af2641ecc9578a3bb13ba0911b248e06d75b3555d3b3189e57dc7669dc19050dce39ab260e97b322fc256ddb02ac0255f510ec9ca921751362d5

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\d3Tf23g9NOU34b3o\\QpBJrpMMewTU.exe\",explorer.exe"	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

pid	process
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

description	pid	process
Token: SeDebugPrivilege	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
Token: SeDebugPrivilege	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
2⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
2⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
2⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
2⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
"C:\Users\Admin\AppData\Local\Temp\e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe"
2⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 652
2⤵
PID:1564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-58-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1564-56-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 580	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 624	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1796	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1688	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 864	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1172	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	dw20.exe
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	dw20.exe
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	dw20.exe
PID 1376 wrote to memory of 1564	1376	e19d4638453eee9c86b7f253ee19788f5f6b6437e6cf8aecb05e36375712dcdb.exe	dw20.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads