f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2

General

Target

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Size

107KB
MD5

486f4914bbd37fd14a54c7b188406b83
SHA1

3e67e237e6d450df323be61a0be3a38e405104cd
SHA256

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2
SHA512

ae51fa052644d9a994872749565e5a05a66dbdeab819a5308c5ca77c3432d608f89b4ea96aa0410bcfb09f1dcca42ed43415d6b7119708ced2afe45a649ff27f
SSDEEP

1536:W0b+eEYF75iNmMwnGPUc968YyF0PlyHDn0mC0ysrcuVZR3e3Z7BfrPf9Nii:dbzEYF72mMwn3c968YyCQA54Vr8Z4i

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

pid process

892 f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

pid	process
892	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bilmopc = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\bilmopc.dll\",bilmopc"	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc\Impersonate = "1"	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc\Asynchronous = "1"	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc\MaxWait = "1"	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc\invoksla = 65b3475595cd1e552a9b	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc\DllName = "C:\\Users\\Admin\\AppData\\Local\\bilmopc.dll"	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc\Startup = "bilmopc"	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bilmopc	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

description	pid	process	target process
PID 364 set thread context of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

pid	process
364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

description	pid	process	target process
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
PID 364 wrote to memory of 892	364	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe	f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe

C:\Users\Admin\AppData\Local\Temp\f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
"C:\Users\Admin\AppData\Local\Temp\f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
C:\Users\Admin\AppData\Local\Temp\f878f758d6345968afb2c9f0df6d4d3d2a160d77b4a87eedb5fca6a0bcd7cca2.exe
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\bilmopc.dll

Filesize
13KB

MD5
d2cb4230bcd7e91421c98179d98de845

SHA1
915923bb6ed1f3c0b1eae844519646918b9a57b5

SHA256
664cad77ebc9b3f17b790d2ef2701efbba0cecf2b69c01985f15479b7ced2029

SHA512
5fe336fda93b59ea677e593204cabb21de68e06be3867bdfeee44a23006d2e0d9289e3a8ae0812690b77b6136329fe675537a457b7f8def2408a0a54a69a54c0

Download Submit
memory/364-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/364-65-0x00000000003E0000-0x00000000003E4000-memory.dmp

Filesize
16KB

Download
memory/892-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-64-0x0000000000401000-mapping.dmp

Download
memory/892-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads