05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954

General

Target

05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954.exe
Size

144KB
MD5

960c7973d634f18a16abd5480ef0e995
SHA1

dcf48acc48d8b419169d8f14d72d15fd7077746b
SHA256

05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954
SHA512

f746f171122fe8168f188f067cbd2323af362b9a37554cdc3544c6758fa648c4494d6186eb7e24618d2578d9455b03b6816e4b061e3dbdf1476e3ad7a3348e27
SSDEEP

3072:hGq8aX6X/AVHK4buyianNpf+NVZe1eZan12YMt9TEGB:fnKXqHLuynTf+NVZha1JMtZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	mshjtmbs.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	mshjtmbs.exe
File opened (read-only)	\??\S:	mshjtmbs.exe
File opened (read-only)	\??\T:	mshjtmbs.exe
File opened (read-only)	\??\Y:	mshjtmbs.exe
File opened (read-only)	\??\F:	mshjtmbs.exe
File opened (read-only)	\??\G:	mshjtmbs.exe
File opened (read-only)	\??\J:	mshjtmbs.exe
File opened (read-only)	\??\L:	mshjtmbs.exe
File opened (read-only)	\??\O:	mshjtmbs.exe
File opened (read-only)	\??\V:	mshjtmbs.exe
File opened (read-only)	\??\U:	mshjtmbs.exe
File opened (read-only)	\??\E:	mshjtmbs.exe
File opened (read-only)	\??\K:	mshjtmbs.exe
File opened (read-only)	\??\M:	mshjtmbs.exe
File opened (read-only)	\??\P:	mshjtmbs.exe
File opened (read-only)	\??\W:	mshjtmbs.exe
File opened (read-only)	\??\X:	mshjtmbs.exe
File opened (read-only)	\??\Z:	mshjtmbs.exe
File opened (read-only)	\??\H:	mshjtmbs.exe
File opened (read-only)	\??\I:	mshjtmbs.exe
File opened (read-only)	\??\N:	mshjtmbs.exe
File opened (read-only)	\??\Q:	mshjtmbs.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	mshjtmbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	mshjtmbs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\SUPPORT_8712 = "0"	mshjtmbs.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mshjtmbs.exe	05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954.exe
File opened for modification	C:\Windows\SysWOW64\mshjtmbs.exe	05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mshjtmbs.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadNetworkName = "Network 3"	mshjtmbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44\WpadDecisionTime = 50426d56b8e4d801	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mshjtmbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mshjtmbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshjtmbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mshjtmbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadDecisionTime = 50426d56b8e4d801	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44\WpadDecision = "0"	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadDecision = "0"	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadDecisionReason = "1"	mshjtmbs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshjtmbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mshjtmbs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\b2-0d-d0-e6-d2-44	mshjtmbs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mshjtmbs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44\WpadDecisionReason = "1"	mshjtmbs.exe

C:\Users\Admin\AppData\Local\Temp\05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954.exe
"C:\Users\Admin\AppData\Local\Temp\05215df9e3ae7571465957757151ce1a5b971ccc42fc75122d3a0b6336ef4954.exe"
1⤵
- Drops file in System32 directory
PID:1340

C:\Windows\SysWOW64\mshjtmbs.exe
C:\Windows\SysWOW64\mshjtmbs.exe /service
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mshjtmbs.exe

Filesize
144KB

MD5
afa8d8e15b42333742274f089b45b1da

SHA1
18ba16ffd89577e4c5a077cabd80bdae4670ef45

SHA256
c88a9673d54bc0d6f291057b597bd65b70a9055f4b9c9b188df189c7cfe3fe92

SHA512
2c27e88fea4b3dc6091e4bf4eecb1c0c8c16262278370f18da8d82a1dd8be6b45a9bec98add56ef27c8e87c3485b8be6c80d9935b3ebe7fb4fd676592afe5485

Download Submit
memory/1340-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1340-56-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/1340-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-61-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/1380-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing