e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e

General

Target

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
Size

351KB
MD5

8bca8f663a45793182e301e5eb00510a
SHA1

6326136b3d32a736756147df147badcc4a98fcb4
SHA256

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e
SHA512

a5b9e41ca49fbbf736f070c9f65947ff042f61be48d95856dcaab13cb1d2347daec42231a1c71f8b7221c371bce63c0111cb8b04ab5aacd6cc2c4df3d7126d32
SSDEEP

6144:hq+PZTDlGsitFRWmEd5B5W4Wz2usuQxaVzJD8qzCD7O6J6dI1M+wxE6e0yC:hq+BK8j/W4+6uQc9JBM756dI1ITefC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\3ce367e1\\X"	Explorer.EXE

Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

332 csrss.exe
1580 X
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1932 cmd.exe

pid	process
332	csrss.exe
1580	X

pid	process
1932	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe

pid	process
944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe

description pid process target process

PID 944 set thread context of 1932 944 e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe cmd.exe

description	pid	process	target process
PID 944 set thread context of 1932	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{39d92504-9fba-0be7-422b-8edf7031cb36}	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39d92504-9fba-0be7-422b-8edf7031cb36}\u = "193"	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39d92504-9fba-0be7-422b-8edf7031cb36}\cid = "6029255596064276008"	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exeX

pid	process
944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
1580	X

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE

pid	process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
Token: SeDebugPrivilege	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
Token: SeShutdownPrivilege	1232	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

332 csrss.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
332	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exeX

description	pid	process	target process
PID 944 wrote to memory of 1232	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	Explorer.EXE
PID 944 wrote to memory of 332	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	csrss.exe
PID 944 wrote to memory of 1580	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	X
PID 944 wrote to memory of 1580	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	X
PID 944 wrote to memory of 1580	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	X
PID 944 wrote to memory of 1580	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	X
PID 1580 wrote to memory of 1232	1580	X	Explorer.EXE
PID 944 wrote to memory of 1932	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	cmd.exe
PID 944 wrote to memory of 1932	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	cmd.exe
PID 944 wrote to memory of 1932	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	cmd.exe
PID 944 wrote to memory of 1932	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	cmd.exe
PID 944 wrote to memory of 1932	944	e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe	cmd.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

C:\Users\Admin\AppData\Local\Temp\e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe
"C:\Users\Admin\AppData\Local\Temp\e79317f601acb972f099d1e1188d20720413cc153bdeda2ca17d55193dd10d2e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\3ce367e1\X
176.53.17.24:80
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3ce367e1\@

Filesize
2KB

MD5
88ae8ef63ebae8906b47fc476f893ff9

SHA1
84f42d60b4a0a483ecd5d34b0d67873fbd49e183

SHA256
a739bbe1eccff42ac7089844cc716dc82ca2f201827e5afb4c9f926cd98f79af

SHA512
2d933f2f4e5c96f6dc87cffaecf6d2db416537c2260ce3f128219040f30fa0a00d06005b6a09673dd814b7ca7074f305053881746e725b52efd326d2394d61a7

Download Submit
C:\Users\Admin\AppData\Local\3ce367e1\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
C:\Windows\system32\consrv.dll

Filesize
31KB

MD5
2718f2d89cab642e96ebad313b64f478

SHA1
94b8e9d95786d2e03bfe61df5705f0bfb8b77f19

SHA256
765090821b30dbca4bdf96de0ffeeeb8821013a643f9405285ef7acdb44fab58

SHA512
e25172284c1e5206568310b7a4bb0c62445a56bc5bcaae65dd39ed86456df03faa20e1a883d0df60c9253b250ff7e8d11e7bb05f89dca69ba7c5b261f35a70f6

Download Submit
\Users\Admin\AppData\Local\3ce367e1\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
\Users\Admin\AppData\Local\3ce367e1\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
2718f2d89cab642e96ebad313b64f478

SHA1
94b8e9d95786d2e03bfe61df5705f0bfb8b77f19

SHA256
765090821b30dbca4bdf96de0ffeeeb8821013a643f9405285ef7acdb44fab58

SHA512
e25172284c1e5206568310b7a4bb0c62445a56bc5bcaae65dd39ed86456df03faa20e1a883d0df60c9253b250ff7e8d11e7bb05f89dca69ba7c5b261f35a70f6

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
631b55c16a2fc0ce9902d643e9f58561

SHA1
58a93d8f6e568a56ed8de411b3e225813763006b

SHA256
3f1b8648f71c2d1cf46e4e65562ee6386c4e80e68e1764279de9e6cc524bcb8c

SHA512
cc823e63652e862d08245f92a0653aeac713295447ae0ca0502beef5eaab7d38ffb9db2ffabe323d2df7ad223169c330f696cbc7749dd9de7600fc4b632c1351

Download Submit
memory/332-80-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

Filesize
48KB

Download
memory/944-62-0x0000000000400000-0x0000000000469F3C-memory.dmp

Filesize
423KB

Download
memory/944-75-0x0000000000591000-0x00000000005AE000-memory.dmp

Filesize
116KB

Download
memory/944-76-0x0000000002000000-0x0000000002100000-memory.dmp

Filesize
1024KB

Download
memory/944-77-0x0000000002000000-0x0000000002100000-memory.dmp

Filesize
1024KB

Download
memory/944-101-0x00000000004B1000-0x00000000004F9000-memory.dmp

Filesize
288KB

Download
memory/944-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/944-63-0x00000000004B1000-0x00000000004F9000-memory.dmp

Filesize
288KB

Download
memory/944-61-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/944-58-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/944-100-0x0000000000400000-0x0000000000469F3C-memory.dmp

Filesize
423KB

Download
memory/944-55-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/1232-70-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/1232-89-0x0000000002B70000-0x0000000002B7B000-memory.dmp

Filesize
44KB

Download
memory/1232-93-0x0000000002B70000-0x0000000002B7B000-memory.dmp

Filesize
44KB

Download
memory/1232-85-0x0000000002B70000-0x0000000002B7B000-memory.dmp

Filesize
44KB

Download
memory/1232-95-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/1232-96-0x0000000002B80000-0x0000000002B8B000-memory.dmp

Filesize
44KB

Download
memory/1232-97-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/1232-98-0x0000000002B80000-0x0000000002B8B000-memory.dmp

Filesize
44KB

Download
memory/1232-74-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/1232-66-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/1580-83-0x0000000000000000-mapping.dmp

Download
memory/1932-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads