be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
Size

46KB
MD5

80f0dc84f0557b9aaa11007d62efc087
SHA1

4dca0c565d2956f4b6c8f0b0089cf6c7680d8a8f
SHA256

be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6
SHA512

1d525b4c58d4aed28373734a332abec6abfa1c30aed838068838dca7ef3cc6c846fb030f66baa7d680033681bba631111d1b937477b08c03abc121d234153e46
SSDEEP

768:1B77777J77c77c77c7q8S1XeSltlNvIrHsK0Lp/K9KcKlhShlYcVLt6B77777J7I:1B77777J77c77c77c71S1XeilJIr96B2

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\5FBF98.exe\""	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5FBF98.exe = "C:\\Windows\\5FBF98.exe"	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5FBF98RWVRQV.exe	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
File opened for modification	C:\Windows\5FBF98.exe	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1428	TASKKILL.exe
1708	TASKKILL.exe
1560	TASKKILL.exe
1544	TASKKILL.exe
824	TASKKILL.exe
1376	TASKKILL.exe
2004	TASKKILL.exe
1680	TASKKILL.exe
1824	TASKKILL.exe
1036	TASKKILL.exe
1040	TASKKILL.exe
892	TASKKILL.exe
1516	TASKKILL.exe
1076	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	TASKKILL.exe
Token: SeDebugPrivilege	1516	TASKKILL.exe
Token: SeDebugPrivilege	1708	TASKKILL.exe
Token: SeDebugPrivilege	1376	TASKKILL.exe
Token: SeDebugPrivilege	1560	TASKKILL.exe
Token: SeDebugPrivilege	1544	TASKKILL.exe
Token: SeDebugPrivilege	1076	TASKKILL.exe
Token: SeDebugPrivilege	824	TASKKILL.exe
Token: SeDebugPrivilege	892	TASKKILL.exe
Token: SeDebugPrivilege	2004	TASKKILL.exe
Token: SeDebugPrivilege	1036	TASKKILL.exe
Token: SeDebugPrivilege	1680	TASKKILL.exe
Token: SeDebugPrivilege	1040	TASKKILL.exe
Token: SeDebugPrivilege	1824	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1428	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	26
PID 784 wrote to memory of 1428	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	26
PID 784 wrote to memory of 1428	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	26
PID 784 wrote to memory of 1428	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	26
PID 784 wrote to memory of 2004	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	27
PID 784 wrote to memory of 2004	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	27
PID 784 wrote to memory of 2004	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	27
PID 784 wrote to memory of 2004	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	27
PID 784 wrote to memory of 892	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	29
PID 784 wrote to memory of 892	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	29
PID 784 wrote to memory of 892	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	29
PID 784 wrote to memory of 892	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	29
PID 784 wrote to memory of 1708	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	30
PID 784 wrote to memory of 1708	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	30
PID 784 wrote to memory of 1708	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	30
PID 784 wrote to memory of 1708	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	30
PID 784 wrote to memory of 1560	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	31
PID 784 wrote to memory of 1560	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	31
PID 784 wrote to memory of 1560	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	31
PID 784 wrote to memory of 1560	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	31
PID 784 wrote to memory of 1516	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	34
PID 784 wrote to memory of 1516	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	34
PID 784 wrote to memory of 1516	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	34
PID 784 wrote to memory of 1516	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	34
PID 784 wrote to memory of 1076	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	36
PID 784 wrote to memory of 1076	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	36
PID 784 wrote to memory of 1076	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	36
PID 784 wrote to memory of 1076	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	36
PID 784 wrote to memory of 1824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	40
PID 784 wrote to memory of 1824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	40
PID 784 wrote to memory of 1824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	40
PID 784 wrote to memory of 1824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	40
PID 784 wrote to memory of 1680	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	38
PID 784 wrote to memory of 1680	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	38
PID 784 wrote to memory of 1680	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	38
PID 784 wrote to memory of 1680	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	38
PID 784 wrote to memory of 1544	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	42
PID 784 wrote to memory of 1544	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	42
PID 784 wrote to memory of 1544	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	42
PID 784 wrote to memory of 1544	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	42
PID 784 wrote to memory of 1036	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	45
PID 784 wrote to memory of 1036	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	45
PID 784 wrote to memory of 1036	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	45
PID 784 wrote to memory of 1036	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	45
PID 784 wrote to memory of 1376	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	47
PID 784 wrote to memory of 1376	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	47
PID 784 wrote to memory of 1376	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	47
PID 784 wrote to memory of 1376	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	47
PID 784 wrote to memory of 824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	49
PID 784 wrote to memory of 824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	49
PID 784 wrote to memory of 824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	49
PID 784 wrote to memory of 824	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	49
PID 784 wrote to memory of 1040	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	51
PID 784 wrote to memory of 1040	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	51
PID 784 wrote to memory of 1040	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	51
PID 784 wrote to memory of 1040	784	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	51

C:\Users\Admin\AppData\Local\Temp\be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
"C:\Users\Admin\AppData\Local\Temp\be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads