2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12

General

Target

2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Size

105KB
MD5

80fcedc30fd7e9cf90c40d04bd06beba
SHA1

c27ef96cf12f0a699a6f8b8eb2f0ce294be2b97e
SHA256

2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12
SHA512

59bb1cd9aec4e3d2ea553cbe3002c1ae0a7076523e807a81536ea15602954be6a129011787f0a6922cf9d2f8cbe62c6880e48eee1baf8dca6973947e04457f63
SSDEEP

1536:fEizl72rH5hmMMXapYHF3LHRfP2FB+13vCjAWX:Mizt/MMapYlR+Bca

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-58-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1724-60-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1724-61-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1724-66-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1724-67-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1724-69-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1724	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hvrtsny = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\hvrtsny.dll\",hvrtsny"	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny\DllName = "C:\\Users\\Admin\\AppData\\Local\\hvrtsny.dll"	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny\Startup = "hvrtsny"	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny\Impersonate = "1"	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny\Asynchronous = "1"	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny\MaxWait = "1"	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hvrtsny\srokqidj = 1e01f82f7804e0bff108	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 704 set thread context of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27
PID 704 wrote to memory of 1724	704	2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe	27

C:\Users\Admin\AppData\Local\Temp\2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
"C:\Users\Admin\AppData\Local\Temp\2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe
  "C:\Users\Admin\AppData\Local\Temp\2e35a81ea95bf6f83fcb8cb27bf085360f79abd01a88fa79406a82a4195efe12.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\hvrtsny.dll

Filesize
30KB

MD5
a38e18ed0e0317c84cc03d06d3f9494b

SHA1
cedd8bcd404dbd6ac3f25353729e82777746bafd

SHA256
cc15756a0ec3d7626873b3eda670b62275e51a3b1ae027df3c8cdeed40ef81dd

SHA512
e6ff9bc1e517b6424381aa45f9cf27f824fa1bc7f73d45cd10897e385e63cc2cf66f65cb2c0d145e28c60869a5d9085b29705f28796f3a2185c21faacd50b808

Download Submit
memory/704-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/704-63-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/1724-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1724-57-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1724-58-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1724-60-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1724-61-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1724-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1724-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1724-69-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads