c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Size

156KB
MD5

84ee3d68ceef4ef39efb170d2664b8e0
SHA1

ee6fe4519cf00284cab5b83fa09b43ca7c63c37c
SHA256

c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819
SHA512

caf87557fdd45b6105c9ebf09405861f7015209b3ecd32c321ac01e3c50d7c4196536c2fea7ad437348038cea08780b2002effebe555c642c150d3600f8c27f0
SSDEEP

3072:OeBztYPIQSqVTtfpMlk0zuA9AP+UGXUBxw6dXMIReX9BXlN:Oed2wuVTtqlRqyAP+1EBi6d8H

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1612	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoostrm\Shutdown = "WlxShutdownEvent"	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoostrm\Impersonate = "0"	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoostrm\Asynchronous = "0"	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoostrm	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoostrm\DllName = "C:\\Windows\\system32\\spoostrm.dll"	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spoostrm\Startup = "WlxStartupEvent"	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spoostrm.dll	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
File created	C:\Windows\SysWOW64\spoostrm.exe	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe

C:\Users\Admin\AppData\Local\Temp\c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe
"C:\Users\Admin\AppData\Local\Temp\c0967c1a26ba6e947627687ea2a2eff2959bc9e88ed6f24c88829218e6cd2819.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\spoostrm.dll

Filesize
116KB

MD5
234b9bc8e3517fdda4313b4a34c63ad4

SHA1
c3716dd4e985fe8faefcf1b30ba35596c4b47ab2

SHA256
9fc15ab6d8c6adc07fec8dd71758cffb1628f3e4d86177d36059b008b993202b

SHA512
79f648b358ac54243c6c65dae94f33603c51981760161959800cf2b25e2d93d90854fbac66383e6cb472eb4ee54f49d724d99e48296932accb7cad972ab5a25d

Download Submit