7ec0402e62603a9b1aeefb6fb2c5467bf6924f507e0d9cd3eb533076383730d7

Analysis

max time kernel
91s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cikti.exe
Size

724KB
MD5

2066f7d292f4645896ddcb19977fede7
SHA1

c7ca3a830c66647996dba70e0481bb80f44f420e
SHA256

bbbf72e3e18bdf0c1ba98791e138c81e7915de949d4a27ad15eada0109a356ac
SHA512

8cb5161cd5665475bee4166e0a4e49bb777e0928dc34afa18eb66527caef38ab5afbbbc606c4e599e03a6799577cb8fcac28ee20cb41a345623a38be65b5d423
SSDEEP

12288:Q7v4A8TUzz44qOWmQhoWdFzU6N5HWMV6vmQJRAE/cDtM9JSPRB:jlUzz49OWmQ9BNEkhKRAE/GtAuRB

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\scvhost.exe"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	scvhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTFMON = "C:\\Windows\\scvhost.exe"	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\scvhost.exe	cikti.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
788	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4364	cikti.exe
Token: SeIncBasePriorityPrivilege	4364	cikti.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2740	4364	cikti.exe	78
PID 4364 wrote to memory of 2740	4364	cikti.exe	78
PID 4364 wrote to memory of 2740	4364	cikti.exe	78
PID 2740 wrote to memory of 4960	2740	cmd.exe	80
PID 2740 wrote to memory of 4960	2740	cmd.exe	80
PID 2740 wrote to memory of 4960	2740	cmd.exe	80
PID 4960 wrote to memory of 4980	4960	cmd.exe	81
PID 4960 wrote to memory of 4980	4960	cmd.exe	81
PID 4960 wrote to memory of 4980	4960	cmd.exe	81
PID 2740 wrote to memory of 5024	2740	cmd.exe	82
PID 2740 wrote to memory of 5024	2740	cmd.exe	82
PID 2740 wrote to memory of 5024	2740	cmd.exe	82
PID 5024 wrote to memory of 788	5024	cmd.exe	83
PID 5024 wrote to memory of 788	5024	cmd.exe	83
PID 5024 wrote to memory of 788	5024	cmd.exe	83
PID 4364 wrote to memory of 2256	4364	cikti.exe	84
PID 4364 wrote to memory of 2256	4364	cikti.exe	84
PID 4364 wrote to memory of 2256	4364	cikti.exe	84

C:\Users\Admin\AppData\Local\Temp\cikti.exe
"C:\Users\Admin\AppData\Local\Temp\cikti.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c check.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell /D "explorer.exe "C:\Windows\scvhost.exe"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell /D "explorer.exe "C:\Windows\scvhost.exe"" /f
      4⤵
      Modifies WinLogon for persistence
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V CTFMON /D "C:\Windows\scvhost.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V CTFMON /D "C:\Windows\scvhost.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:788
- C:\Windows\scvhost.exe
  C:\Windows\scvhost.exe
  2⤵
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.bat

Filesize
256B

MD5
cd3605d0f09d4fb449006593e8210bd2

SHA1
8805b7072289b19a74d2b6627475b8d850534550

SHA256
4855b8e66b23205cb754ee8518fc12676a569d8b7902dde29deaa82062960024

SHA512
5a0a73c59c639a3fd12cb0992669cfb48f648f70d9074faabd09339d3fc1c25fa230b654dd00b47396eea4baaff774a590b56949e90404aacaecd9af61c99be9

Download Submit
C:\Windows\scvhost.exe

Filesize
724KB

MD5
2066f7d292f4645896ddcb19977fede7

SHA1
c7ca3a830c66647996dba70e0481bb80f44f420e

SHA256
bbbf72e3e18bdf0c1ba98791e138c81e7915de949d4a27ad15eada0109a356ac

SHA512
8cb5161cd5665475bee4166e0a4e49bb777e0928dc34afa18eb66527caef38ab5afbbbc606c4e599e03a6799577cb8fcac28ee20cb41a345623a38be65b5d423

Download Submit
C:\Windows\scvhost.exe

Filesize
724KB

MD5
2066f7d292f4645896ddcb19977fede7

SHA1
c7ca3a830c66647996dba70e0481bb80f44f420e

SHA256
bbbf72e3e18bdf0c1ba98791e138c81e7915de949d4a27ad15eada0109a356ac

SHA512
8cb5161cd5665475bee4166e0a4e49bb777e0928dc34afa18eb66527caef38ab5afbbbc606c4e599e03a6799577cb8fcac28ee20cb41a345623a38be65b5d423

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads