84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246

Analysis

max time kernel
155s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe
Size

46KB
MD5

93bd57e22eb8841e8021fad9fbfef130
SHA1

73df3cab59ade17ea45a724df061483ef0338be5
SHA256

84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246
SHA512

ae9e9043b08d23f0990223b2fe70a5c032376ec7daa532e2b78b2657d5fcc8810fee8495020b7bfad681bc24cd423d7ee612ef765e72ab7ddaa8df0c4c06b4f3
SSDEEP

768:b7SD6iAI38wJIDU1WWUl9/MvaN85YtbZ4AOAXQyPn//nLgiF7O8KFGmLHHLF:b1i5R1Wdl9Cx5YbZQAgyP/vLODFG2H

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntos.exe	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe
File created	C:\Windows\SysWOW64\ntos.exe	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe
2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe
2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe
2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3
PID 2040 wrote to memory of 576	2040	84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe	3

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe
"C:\Users\Admin\AppData\Local\Temp\84cccf04cbe017eabf8c4a9dec871df3782a9a9bc2fdcb66fd5956b96ee8e246.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-174-0x000000002F040000-0x000000002F065000-memory.dmp

Filesize
148KB

Download
memory/576-142-0x000000002EEC0000-0x000000002EEE5000-memory.dmp

Filesize
148KB

Download
memory/576-222-0x000000002F280000-0x000000002F2A5000-memory.dmp

Filesize
148KB

Download
memory/576-138-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/576-178-0x000000002F070000-0x000000002F095000-memory.dmp

Filesize
148KB

Download
memory/576-146-0x000000002EEF0000-0x000000002EF15000-memory.dmp

Filesize
148KB

Download
memory/576-150-0x000000002EF20000-0x000000002EF45000-memory.dmp

Filesize
148KB

Download
memory/576-182-0x000000002F0A0000-0x000000002F0C5000-memory.dmp

Filesize
148KB

Download
memory/576-158-0x000000002EF80000-0x000000002EFA5000-memory.dmp

Filesize
148KB

Download
memory/576-162-0x000000002EFB0000-0x000000002EFD5000-memory.dmp

Filesize
148KB

Download
memory/576-166-0x000000002EFE0000-0x000000002F005000-memory.dmp

Filesize
148KB

Download
memory/576-170-0x000000002F010000-0x000000002F035000-memory.dmp

Filesize
148KB

Download
memory/576-218-0x000000002F250000-0x000000002F275000-memory.dmp

Filesize
148KB

Download
memory/576-214-0x000000002F220000-0x000000002F245000-memory.dmp

Filesize
148KB

Download
memory/576-154-0x000000002EF50000-0x000000002EF75000-memory.dmp

Filesize
148KB

Download
memory/576-186-0x000000002F0D0000-0x000000002F0F5000-memory.dmp

Filesize
148KB

Download
memory/576-190-0x000000002F100000-0x000000002F125000-memory.dmp

Filesize
148KB

Download
memory/576-194-0x000000002F130000-0x000000002F155000-memory.dmp

Filesize
148KB

Download
memory/576-198-0x000000002F160000-0x000000002F185000-memory.dmp

Filesize
148KB

Download
memory/576-202-0x000000002F190000-0x000000002F1B5000-memory.dmp

Filesize
148KB

Download
memory/576-206-0x000000002F1C0000-0x000000002F1E5000-memory.dmp

Filesize
148KB

Download
memory/576-210-0x000000002F1F0000-0x000000002F215000-memory.dmp

Filesize
148KB

Download
memory/2040-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download