e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d

General

Target

e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Size

77KB
MD5

fb56a4f1f8a68dad6763d5e060a86149
SHA1

261a396d632f0ce3142ccf1572f6b2cd4560789b
SHA256

e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d
SHA512

a06381ac0195c5b4e61c3126c431f5b39097ec22712a810f7ce0598cd78640f1238f71e9224f0a71d40b6a598b10bd8d4ecb8c40f9b64ba0e9155d15c47bb3a5
SSDEEP

1536:AUHuE2VSGTS5YINmv53Snc3OivLF5/NzQqeBSnpwbOHmgE5Xq0:AUHuE2EGW5YIM3/e+FdNzoBZemgEs0

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-133-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4956-137-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4956-136-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4956-138-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4956-140-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4956	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\enimbsy = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\enimbsy.dll\",enimbsy"	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy\Impersonate = "1"	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy\Asynchronous = "1"	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy\MaxWait = "1"	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy\emdkgjhw = 12e2cb814a882f079410	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy\DllName = "C:\\Users\\Admin\\AppData\\Local\\enimbsy.dll"	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enimbsy\Startup = "enimbsy"	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81
PID 4984 wrote to memory of 4956	4984	e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe	81

C:\Users\Admin\AppData\Local\Temp\e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
"C:\Users\Admin\AppData\Local\Temp\e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
  C:\Users\Admin\AppData\Local\Temp\e0aed088839564c31a0ecef09f63329a07304d05e3ea3cd6b44ee04d3d4dcf7d.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enimbsy.dll

Filesize
31KB

MD5
2541c4e9417524173d8c28c405a641ae

SHA1
10513e91245a2b3d0b5ef54ce587d3a547c9cf53

SHA256
0181705204ad4575711caccf6099b4aa84ed54594f07b61e0bbeef27b527936d

SHA512
f87816c1a8226c8553153c5376b53b91358208368255e71429f0eb602b964c68916620d6d28844d22ac42a975d14af0cc4464a79dca3a27769755f95d4fad29f

Download Submit
memory/4956-133-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4956-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4956-136-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4956-138-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4956-140-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4984-134-0x0000000000AB0000-0x0000000000AB4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads