7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1

Analysis

max time kernel
148s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe
Size

100KB
MD5

11f17b107fb10c7e7d2e208af4949770
SHA1

940db2851b4dafb25fdc60be825cf2da3a6a3f5c
SHA256

7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1
SHA512

4c1bb53840e68c8edd6add5b443ee850096d437ab2b8797da65a597c6b3dd02fb97689dfa29eea643581fcfe6781c7218c290a86fcd756adbf20a25f9e6b7704
SSDEEP

1536:+9a+2m6oXmu9A2jin5mzVLdOaGMH1wvSZeM7+Rot:+9Kmzmu9A7nnaRYEX+Rot

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
792	sysmgr.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4"	sysmgr.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	sysmgr.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	sysmgr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\conf.dat	sysmgr.exe
File created	C:\Windows\sysmgr.exe	7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe
File created	C:\Windows\svc.dat	7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe
File opened for modification	C:\Windows\conf.dat	sysmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 792	788	7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe	28
PID 788 wrote to memory of 792	788	7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe	28
PID 788 wrote to memory of 792	788	7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe	28
PID 788 wrote to memory of 792	788	7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe	28

C:\Users\Admin\AppData\Local\Temp\7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe
"C:\Users\Admin\AppData\Local\Temp\7a13c34c67e4580b28f83d90125c587af8ddf1ffe61dc8afd633a2b560848fa1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\sysmgr.exe
  "C:\Windows\sysmgr.exe"
  2⤵
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svc.dat

Filesize
2KB

MD5
8ca5fe5899790c565a5d5792642575c6

SHA1
5e86e964d7778c2a6d0eec5be21ba2d005b87ec9

SHA256
cf86b7947374c82fb2a21b60a058eeb8061999175de117f3a22c4d91b3d0b14e

SHA512
65c4ae08fd6ea50ec02d9b1fef99e04d08690acc5da41fe8bcd93607a9f5386ed008e8495faa6318c523f3b871266f46da048fcba6ef6a533ed5c34a811f2ead

Download Submit
C:\Windows\sysmgr.exe

Filesize
36KB

MD5
2373dfbdba70b54164d4fe163f7f59f1

SHA1
fbc51778f9e4868ddce4763d0bef4cb48090e3f6

SHA256
e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

SHA512
32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

Download Submit
C:\Windows\sysmgr.exe

Filesize
36KB

MD5
2373dfbdba70b54164d4fe163f7f59f1

SHA1
fbc51778f9e4868ddce4763d0bef4cb48090e3f6

SHA256
e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

SHA512
32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

Download Submit
memory/788-54-0x0000000074E01000-0x0000000074E03000-memory.dmp

Filesize
8KB

Download
memory/788-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download