78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2022, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

320KB
MD5

79c8aec89b55f0fd893c5358cfe66634
SHA1

cb1065ed12890f9dfa599e94c559626129f9efcb
SHA256

78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa
SHA512

8f0080961607b102006594f33904b2e61346c4465874807e411a61d8ac08b3abb186736549161e1ce09910fc3c87f37e1a4052cbb88e8207c9b7b80668fa6ffd
SSDEEP

6144:L2CgfxElP8isat6Z475cw0npnlSLmarpUguiVuVTEryN+9t7NS:L2YR2DEknwaaFUZiVuK7

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\ViperFolder\\FiperTY.exe\","	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 856	1320	tmp.exe	84

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
856	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1320	tmp.exe
1320	tmp.exe
1320	tmp.exe
1320	tmp.exe
1320	tmp.exe
1320	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 860	1320	tmp.exe	83
PID 1320 wrote to memory of 860	1320	tmp.exe	83
PID 1320 wrote to memory of 860	1320	tmp.exe	83
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84
PID 1320 wrote to memory of 856	1320	tmp.exe	84

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/856-139-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/1320-132-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/1320-133-0x000000003A460000-0x000000003A4C6000-memory.dmp

Filesize
408KB

Download
memory/1320-134-0x000000003AC90000-0x000000003AD22000-memory.dmp

Filesize
584KB

Download
memory/1320-135-0x000000003B2E0000-0x000000003B884000-memory.dmp

Filesize
5.6MB

Download