be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6

Analysis

max time kernel
90s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
Size

46KB
MD5

80f0dc84f0557b9aaa11007d62efc087
SHA1

4dca0c565d2956f4b6c8f0b0089cf6c7680d8a8f
SHA256

be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6
SHA512

1d525b4c58d4aed28373734a332abec6abfa1c30aed838068838dca7ef3cc6c846fb030f66baa7d680033681bba631111d1b937477b08c03abc121d234153e46
SSDEEP

768:1B77777J77c77c77c7q8S1XeSltlNvIrHsK0Lp/K9KcKlhShlYcVLt6B77777J7I:1B77777J77c77c77c71S1XeilJIr96B2

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\328F0C2.exe\""	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\328F0C2.exe = "C:\\Windows\\328F0C2.exe"	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\328F0C2.exe	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
File opened for modification	C:\Windows\328F0C2RUVQUT.exe	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
4356	TASKKILL.exe
2724	TASKKILL.exe
2556	TASKKILL.exe
1452	TASKKILL.exe
4732	TASKKILL.exe
3524	TASKKILL.exe
100	TASKKILL.exe
4412	TASKKILL.exe
3624	TASKKILL.exe
2748	TASKKILL.exe
1384	TASKKILL.exe
2240	TASKKILL.exe
1080	TASKKILL.exe
3904	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	TASKKILL.exe
Token: SeDebugPrivilege	2748	TASKKILL.exe
Token: SeDebugPrivilege	3524	TASKKILL.exe
Token: SeDebugPrivilege	2724	TASKKILL.exe
Token: SeDebugPrivilege	3624	TASKKILL.exe
Token: SeDebugPrivilege	1384	TASKKILL.exe
Token: SeDebugPrivilege	4412	TASKKILL.exe
Token: SeDebugPrivilege	2556	TASKKILL.exe
Token: SeDebugPrivilege	2240	TASKKILL.exe
Token: SeDebugPrivilege	100	TASKKILL.exe
Token: SeDebugPrivilege	4732	TASKKILL.exe
Token: SeDebugPrivilege	1080	TASKKILL.exe
Token: SeDebugPrivilege	3904	TASKKILL.exe
Token: SeDebugPrivilege	1452	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4356	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	84
PID 4960 wrote to memory of 4356	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	84
PID 4960 wrote to memory of 4356	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	84
PID 4960 wrote to memory of 3624	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	85
PID 4960 wrote to memory of 3624	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	85
PID 4960 wrote to memory of 3624	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	85
PID 4960 wrote to memory of 2748	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	89
PID 4960 wrote to memory of 2748	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	89
PID 4960 wrote to memory of 2748	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	89
PID 4960 wrote to memory of 3524	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	87
PID 4960 wrote to memory of 3524	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	87
PID 4960 wrote to memory of 3524	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	87
PID 4960 wrote to memory of 2724	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	91
PID 4960 wrote to memory of 2724	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	91
PID 4960 wrote to memory of 2724	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	91
PID 4960 wrote to memory of 1384	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	92
PID 4960 wrote to memory of 1384	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	92
PID 4960 wrote to memory of 1384	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	92
PID 4960 wrote to memory of 2556	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	96
PID 4960 wrote to memory of 2556	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	96
PID 4960 wrote to memory of 2556	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	96
PID 4960 wrote to memory of 4412	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	95
PID 4960 wrote to memory of 4412	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	95
PID 4960 wrote to memory of 4412	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	95
PID 4960 wrote to memory of 2240	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	98
PID 4960 wrote to memory of 2240	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	98
PID 4960 wrote to memory of 2240	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	98
PID 4960 wrote to memory of 100	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	100
PID 4960 wrote to memory of 100	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	100
PID 4960 wrote to memory of 100	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	100
PID 4960 wrote to memory of 4732	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	105
PID 4960 wrote to memory of 4732	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	105
PID 4960 wrote to memory of 4732	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	105
PID 4960 wrote to memory of 1080	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	101
PID 4960 wrote to memory of 1080	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	101
PID 4960 wrote to memory of 1080	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	101
PID 4960 wrote to memory of 1452	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	103
PID 4960 wrote to memory of 1452	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	103
PID 4960 wrote to memory of 1452	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	103
PID 4960 wrote to memory of 3904	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	109
PID 4960 wrote to memory of 3904	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	109
PID 4960 wrote to memory of 3904	4960	be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe	109

C:\Users\Admin\AppData\Local\Temp\be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe
"C:\Users\Admin\AppData\Local\Temp\be95146d8030efbda51b6ba469c9a7325c93563347747b57ce6e7e0d2fec63c6.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:100
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4960-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads