Overview

overview

10

Static

static

f8e84bc2bb...42.exe

windows7-x64

5

f8e84bc2bb...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8e84bc2bb5f02f273abd03071c6d0965f2f3a8fff7993a6c6ee319023efc442.exe

  • Size

    398KB

  • MD5

    083a9bc85907d70a960b826f704e7e81

  • SHA1

    c18f30158eef05cdfe446d316d9e86ebd16c2416

  • SHA256

    f8e84bc2bb5f02f273abd03071c6d0965f2f3a8fff7993a6c6ee319023efc442

  • SHA512

    6f6ff36598de30a366b6d377f371bb95c96d1403c3ca6ea9a202606ed1a69e1e2380411af0b192d53de8d17e88f4a6583b176e0233180ce4abf0e803ccd02132

  • SSDEEP

    12288:VXLHTMmI7/EjOEWpBWvZas6OlIoIjFSza4/4/oMxsQ:V7TMmIrUAsNDIhSz2QG

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:588
    • C:\Users\Admin\AppData\Local\Temp\f8e84bc2bb5f02f273abd03071c6d0965f2f3a8fff7993a6c6ee319023efc442.exe
      "C:\Users\Admin\AppData\Local\Temp\f8e84bc2bb5f02f273abd03071c6d0965f2f3a8fff7993a6c6ee319023efc442.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Users\Admin\AppData\Local\Temp\f8e84bc2bb5f02f273abd03071c6d0965f2f3a8fff7993a6c6ee319023efc442.exe
        "C:\Users\Admin\AppData\Local\Temp\f8e84bc2bb5f02f273abd03071c6d0965f2f3a8fff7993a6c6ee319023efc442.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1944

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/588-209-0x000000000A120000-0x000000000A137000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-199-0x000000000A0E0000-0x000000000A0F7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-239-0x000000000A1E0000-0x000000000A1F7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-234-0x000000000A1C0000-0x000000000A1D7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-174-0x000000000A040000-0x000000000A057000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-229-0x000000000A1A0000-0x000000000A1B7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-224-0x000000000A180000-0x000000000A197000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-169-0x000000000A020000-0x000000000A037000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-214-0x000000000A140000-0x000000000A157000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-149-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-154-0x0000000009FC0000-0x0000000009FD7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-159-0x0000000009FE0000-0x0000000009FF7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-204-0x000000000A100000-0x000000000A117000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-219-0x000000000A160000-0x000000000A177000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-164-0x000000000A000000-0x000000000A017000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-179-0x000000000A060000-0x000000000A077000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-184-0x000000000A080000-0x000000000A097000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-189-0x000000000A0A0000-0x000000000A0B7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/588-194-0x000000000A0C0000-0x000000000A0D7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1144-133-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1144-132-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1144-140-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1144-134-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1944-138-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1944-144-0x00000000004A0000-0x00000000004AF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1944-143-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1944-141-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download