5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af

General

Target

5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
Size

60KB
MD5

10c54306eb26094c41db2344c40b25fe
SHA1

870451dd209609de9c246caf6f803c9b7bdd2760
SHA256

5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af
SHA512

c7fd6be522c59afe4c283270cfaa3bd83e6b1500866555558abd50fc4081ce3788d81a8b1d4f3d284fcf3311ce820fe063c54a53914120b983c17e5ce1119fde
SSDEEP

768:+L2RaD6kljLzPy6F912umeWODntygh4Me11dtwbmpmDNxbx5vt367GRA+ET853ww:+LwoI+G13wbRxbxZ2+XfZGX7Q

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	winlogon.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\Winmain\winlogon.exe	winlogon.exe
File created	\??\c:\Windows\Winmain\winlogon.exe	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
File opened for modification	\??\c:\Windows\Winmain\winlogon.exe	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1612	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
Token: SeBackupPrivilege	1612	winlogon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
1612	winlogon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1612	1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe	28
PID 1904 wrote to memory of 1612	1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe	28
PID 1904 wrote to memory of 1612	1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe	28
PID 1904 wrote to memory of 1612	1904	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe	28

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe

C:\Users\Admin\AppData\Local\Temp\5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe
"C:\Users\Admin\AppData\Local\Temp\5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af.exe"
1⤵
- UAC bypass
- Windows security bypass
- Drops file in Drivers directory
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904
- \??\c:\Windows\Winmain\winlogon.exe
  c:\Windows\Winmain\winlogon.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Winmain\winlogon.exe

Filesize
60KB

MD5
10c54306eb26094c41db2344c40b25fe

SHA1
870451dd209609de9c246caf6f803c9b7bdd2760

SHA256
5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af

SHA512
c7fd6be522c59afe4c283270cfaa3bd83e6b1500866555558abd50fc4081ce3788d81a8b1d4f3d284fcf3311ce820fe063c54a53914120b983c17e5ce1119fde

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
824B

MD5
201a9deef9984d3d98c3007571df1b5a

SHA1
c2b0acfb696ce27bcebd8d9eeb96ac45ecafb469

SHA256
cb8bc04843db34395aa4852ac845448f9677058b2bbe700626d521724ca786fe

SHA512
6b9c7fa4051b43bbc0c161e5e4d1d3e67a80d1840925ba6747d7bb9c88c22a021f50d67044b66bd8f25aa7e65e71ac3a2dd935a5af02afe317cf6c92f1fcbda3

Download Submit
\??\c:\Windows\Winmain\winlogon.exe

Filesize
60KB

MD5
10c54306eb26094c41db2344c40b25fe

SHA1
870451dd209609de9c246caf6f803c9b7bdd2760

SHA256
5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af

SHA512
c7fd6be522c59afe4c283270cfaa3bd83e6b1500866555558abd50fc4081ce3788d81a8b1d4f3d284fcf3311ce820fe063c54a53914120b983c17e5ce1119fde

Download Submit
\Windows\Winmain\winlogon.exe

Filesize
60KB

MD5
10c54306eb26094c41db2344c40b25fe

SHA1
870451dd209609de9c246caf6f803c9b7bdd2760

SHA256
5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af

SHA512
c7fd6be522c59afe4c283270cfaa3bd83e6b1500866555558abd50fc4081ce3788d81a8b1d4f3d284fcf3311ce820fe063c54a53914120b983c17e5ce1119fde

Download Submit
\Windows\Winmain\winlogon.exe

Filesize
60KB

MD5
10c54306eb26094c41db2344c40b25fe

SHA1
870451dd209609de9c246caf6f803c9b7bdd2760

SHA256
5c740fb6bc2686819b4b2348dfc60336312281e97238f1a07625fb587c45c2af

SHA512
c7fd6be522c59afe4c283270cfaa3bd83e6b1500866555558abd50fc4081ce3788d81a8b1d4f3d284fcf3311ce820fe063c54a53914120b983c17e5ce1119fde

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads