f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f

Analysis

max time kernel
55s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe
Size

56KB
MD5

6002ffc83c6b231328ca69d0cf6cc478
SHA1

1b77ab0a992b4cfcfb264423aab6adf487d18df2
SHA256

f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f
SHA512

5b8c385a38a66687479cd4b09800a3f233089eb9f6ab1b6c51fb266686821af14ea7193c1aed1c160a35adac65ffa58791863049bcf89ae62a28c03ce05d64a9
SSDEEP

768:S2WeM6xev28p2DMJ2TY5wJj1Q6F5Fy9tM3XQUgLhHVlh8azVbowuje3iGW777A7p:S2WsfB00LFa9mnWZqyh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe KPSService.exe"	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KPSService.exe	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe
File opened for modification	C:\Windows\SysWOW64\KPSService.exe	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe
File opened for modification	C:\Windows\SysWOW64\KPSService.exe	attrib.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
876	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4912	876	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe	79
PID 876 wrote to memory of 4912	876	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe	79
PID 876 wrote to memory of 4912	876	f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe	79

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe
"C:\Users\Admin\AppData\Local\Temp\f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s +a +r C:\Windows\system32\KPSService.exe
  2⤵
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KPSService.exe

Filesize
56KB

MD5
6002ffc83c6b231328ca69d0cf6cc478

SHA1
1b77ab0a992b4cfcfb264423aab6adf487d18df2

SHA256
f009bd4787fe296a942cc455aaeb5314ab9281d9d97f9a67403597746ec0474f

SHA512
5b8c385a38a66687479cd4b09800a3f233089eb9f6ab1b6c51fb266686821af14ea7193c1aed1c160a35adac65ffa58791863049bcf89ae62a28c03ce05d64a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads