fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0

General

Target

fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Size

199KB
MD5

671405f6f59a49330b29dfb09ddc135e
SHA1

d1cd04211165b61c283e9dc454f2e7da97c07f22
SHA256

fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0
SHA512

e81d4ffc6ebfa81e2d23eff9a5c30ff2ac6b1212c3eefbfdefc3462ba971ac80fde23826c0b5224129092c39f0db94d387e2d4b5e227c5ebfd9261a54c2f55d3
SSDEEP

3072:2f8jmIahXzWAx5DxNn3hIE1b49CtpZGohI/4PTq4j2ub/y/Wt5mMqcs9URElFQpG:nmxoALRZ4mZGo6//j6t8Mq79iEL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe

Executes dropped EXE 2 IoCs

pid	Process
4892	smss.exe
4196	smss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4248	netsh.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 4892 set thread context of 4196	4892	smss.exe	95

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
4196	smss.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 1468 wrote to memory of 3100	1468	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	80
PID 3100 wrote to memory of 4248	3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	91
PID 3100 wrote to memory of 4248	3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	91
PID 3100 wrote to memory of 4248	3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	91
PID 3100 wrote to memory of 4892	3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	93
PID 3100 wrote to memory of 4892	3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	93
PID 3100 wrote to memory of 4892	3100	fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe	93
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95
PID 4892 wrote to memory of 4196	4892	smss.exe	95

C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
"C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
  "C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\smss.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:4248
- - C:\Users\Admin\AppData\Roaming\smss.exe
    /d C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Roaming\smss.exe
      /d C:\Users\Admin\AppData\Local\Temp\fb42df0d5ec2b31742cbf16c76d9152d415b3677c964122a7f3b4b65de489ae0.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\smss.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
C:\Users\Admin\AppData\Roaming\smss.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
C:\Users\Admin\AppData\Roaming\smss.exe

Filesize
199KB

MD5
d4752c75a33d5d6795863ac5ef1ceedf

SHA1
4fc87aef44c5673a671bf7bf681e57531e397734

SHA256
da6279cc953d898bb9ef23a184c4f68e810212cee10c116ce0d83a951b245dc8

SHA512
3617c5718f493a7aa0f4dbf380ccadbe498068ca5586071b4d7690db020c72d8063d394821ef5d5411812de04bd67d4f15d06542307cdca09f3b86bfda9aad76

Download Submit
memory/3100-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3100-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3100-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4196-147-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4196-150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads