cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe
Size

36KB
MD5

3e1d788a5061f51b173ef514c52b58af
SHA1

d14c0927ceeb3313d4e4c429a19efa191b4383e2
SHA256

cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1
SHA512

f1c81992c6d611a28bd4bbbcfe5a04688f27b6033d2185b2b2be4d8ddae74dab21fadfba69252f0170068b714099df5a599d0e906e0519972f538b114ab841d2
SSDEEP

768:sUXfmTR6v/x9VINA9gEQPAhZTIDQ5sHS3xf:sUvmTgv/SNAEFS3F

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\Amoumain.exe"	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe

Executes dropped EXE 1 IoCs

pid	Process
860	Amoumain.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe
1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Amoumain.exe	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe
860	Amoumain.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 860	1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe	27
PID 1044 wrote to memory of 860	1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe	27
PID 1044 wrote to memory of 860	1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe	27
PID 1044 wrote to memory of 860	1044	cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe	27

C:\Users\Admin\AppData\Local\Temp\cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe
"C:\Users\Admin\AppData\Local\Temp\cc348e83a14208c2e3cbc410c280ee723fa0f4ce4bba1dc2bdc2e097505e64e1.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\Amoumain.exe
  C:\Windows\system32\Amoumain.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
26ba190a12b50ed72a9a79b41e7f9ad3

SHA1
aeda6238d815477394b227e0c46c1e2f7b214291

SHA256
64374e22c1ebac877c6c02d53bd09d0daeba2bfb170099cfdaf4d0b5f5bf0eb9

SHA512
e52e33f30c370bcd4562f14c7f18a658c97842421a1926761790d131c35f532c90a89be2ba4ebb6b900958f86ca0ee8262c408a14f6f81e0a0dbeb9e027aa83c

Download Submit
C:\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
26ba190a12b50ed72a9a79b41e7f9ad3

SHA1
aeda6238d815477394b227e0c46c1e2f7b214291

SHA256
64374e22c1ebac877c6c02d53bd09d0daeba2bfb170099cfdaf4d0b5f5bf0eb9

SHA512
e52e33f30c370bcd4562f14c7f18a658c97842421a1926761790d131c35f532c90a89be2ba4ebb6b900958f86ca0ee8262c408a14f6f81e0a0dbeb9e027aa83c

Download Submit
\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
26ba190a12b50ed72a9a79b41e7f9ad3

SHA1
aeda6238d815477394b227e0c46c1e2f7b214291

SHA256
64374e22c1ebac877c6c02d53bd09d0daeba2bfb170099cfdaf4d0b5f5bf0eb9

SHA512
e52e33f30c370bcd4562f14c7f18a658c97842421a1926761790d131c35f532c90a89be2ba4ebb6b900958f86ca0ee8262c408a14f6f81e0a0dbeb9e027aa83c

Download Submit
\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
26ba190a12b50ed72a9a79b41e7f9ad3

SHA1
aeda6238d815477394b227e0c46c1e2f7b214291

SHA256
64374e22c1ebac877c6c02d53bd09d0daeba2bfb170099cfdaf4d0b5f5bf0eb9

SHA512
e52e33f30c370bcd4562f14c7f18a658c97842421a1926761790d131c35f532c90a89be2ba4ebb6b900958f86ca0ee8262c408a14f6f81e0a0dbeb9e027aa83c

Download Submit