a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1

General

Target

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe
Size

176KB
MD5

a07e6b68e78e8de04ef53dfcbb42ad09
SHA1

c1e8cf1db7b126dbf09170414e7ce84b99e11f85
SHA256

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1
SHA512

a0328e6ca49b80b37c0f02cebeef4383fd95b0b9f3bd997c18cee3ec2fe6c0d67f5eb2056876462f0d7d30075dd00c39e18288b7244ae5ad4a9991fe769ade1d
SSDEEP

3072:7ofKHb2VlN9ydRo9CTlPgsVG9L4vdyUbW2qFQE4GVpu1Wt:7ofmbEN9BE+WUUvPW2qp4GVp2c

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

Drops file in System32 directory 2 IoCs

Processes:

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ntos.exe	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe
File created	C:\Windows\SysWOW64\ntos.exe	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

pid	process
2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe
2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe
2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe
2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

description pid process

Token: SeDebugPrivilege 2420 a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

description	pid	process
Token: SeDebugPrivilege	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe

description	pid	process	target process
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe
PID 2420 wrote to memory of 608	2420	a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe	winlogon.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe
"C:\Users\Admin\AppData\Local\Temp\a3c0f849270611b2008a39988691f932ae841a07bce7d8f14516fc9ef8e49ad1.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-182-0x000000003C0B0000-0x000000003C0D4000-memory.dmp

Filesize
144KB

Download
memory/608-217-0x000000003C200000-0x000000003C224000-memory.dmp

Filesize
144KB

Download
memory/608-142-0x000000003BF30000-0x000000003BF54000-memory.dmp

Filesize
144KB

Download
memory/608-147-0x000000003BF60000-0x000000003BF84000-memory.dmp

Filesize
144KB

Download
memory/608-152-0x000000003BF90000-0x000000003BFB4000-memory.dmp

Filesize
144KB

Download
memory/608-157-0x000000003BFC0000-0x000000003BFE4000-memory.dmp

Filesize
144KB

Download
memory/608-162-0x000000003BFF0000-0x000000003C014000-memory.dmp

Filesize
144KB

Download
memory/608-172-0x000000003C050000-0x000000003C074000-memory.dmp

Filesize
144KB

Download
memory/608-227-0x000000003C260000-0x000000003C284000-memory.dmp

Filesize
144KB

Download
memory/608-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/608-167-0x000000003C020000-0x000000003C044000-memory.dmp

Filesize
144KB

Download
memory/608-187-0x000000003C0E0000-0x000000003C104000-memory.dmp

Filesize
144KB

Download
memory/608-192-0x000000003C110000-0x000000003C134000-memory.dmp

Filesize
144KB

Download
memory/608-197-0x000000003C140000-0x000000003C164000-memory.dmp

Filesize
144KB

Download
memory/608-202-0x000000003C170000-0x000000003C194000-memory.dmp

Filesize
144KB

Download
memory/608-207-0x000000003C1A0000-0x000000003C1C4000-memory.dmp

Filesize
144KB

Download
memory/608-212-0x000000003C1D0000-0x000000003C1F4000-memory.dmp

Filesize
144KB

Download
memory/608-177-0x000000003C080000-0x000000003C0A4000-memory.dmp

Filesize
144KB

Download
memory/608-222-0x000000003C230000-0x000000003C254000-memory.dmp

Filesize
144KB

Download
memory/2420-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads