fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0

General

Target

fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Size

199KB
MD5

671405f6f59a49330b29dfb09ddc135e
SHA1

d1cd04211165b61c283e9dc454f2e7da97c07f22
SHA256

fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0
SHA512

e81d4ffc6ebfa81e2d23eff9a5c30ff2ac6b1212c3eefbfdefc3462ba971ac80fde23826c0b5224129092c39f0db94d387e2d4b5e227c5ebfd9261a54c2f55d3
SSDEEP

3072:2f8jmIahXzWAx5DxNn3hIE1b49CtpZGohI/4PTq4j2ub/y/Wt5mMqcs9URElFQpG:nmxoALRZ4mZGo6//j6t8Mq79iEL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	lsass.exe
1912	lsass.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
292	netsh.exe

Loads dropped DLL 2 IoCs

pid	Process
952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 892 set thread context of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 1828 set thread context of 1912	1828	lsass.exe	33

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
1912	lsass.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 892 wrote to memory of 952	892	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	27
PID 952 wrote to memory of 292	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	30
PID 952 wrote to memory of 292	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	30
PID 952 wrote to memory of 292	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	30
PID 952 wrote to memory of 292	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	30
PID 952 wrote to memory of 1828	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	32
PID 952 wrote to memory of 1828	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	32
PID 952 wrote to memory of 1828	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	32
PID 952 wrote to memory of 1828	952	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	32
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33
PID 1828 wrote to memory of 1912	1828	lsass.exe	33

C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
"C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
  "C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:292
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    /d C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      /d C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
memory/292-65-0x0000000000000000-mapping.dmp

Download
memory/952-59-0x0000000000401274-mapping.dmp

Download
memory/952-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/952-63-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/952-54-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/952-70-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/952-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/952-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/952-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1828-68-0x0000000000000000-mapping.dmp

Download
memory/1912-78-0x0000000000401274-mapping.dmp

Download
memory/1912-84-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1912-85-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads