a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b

General

Target

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Size

105KB
MD5

e181b0d9994f856d1baeb04db7474a4c
SHA1

afd4ded500179268141d2dffb51b26c8f02c9f9f
SHA256

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b
SHA512

274ae3513b5dc958748229b41e18f56cf9e081725b807f8366a45993300b12eda51ef57e1b20428f8a7316b99b9502882d5cbe2b001eddcf6c1a080e719e6917
SSDEEP

3072:eYQP3z/bvx/rm24FmIr0C8Z8qEcj3Jq+ianM1Hgye+sJC:NmW08q7j3Jqh42HgybsE

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

pid process

1328 a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

pid	process
1328	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\profslo = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\profslo.dll\",profslo"	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo\DllName = "C:\\Users\\Admin\\AppData\\Local\\profslo.dll"	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo\Startup = "profslo"	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo\Impersonate = "1"	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo\Asynchronous = "1"	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo\MaxWait = "1"	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\profslo\sekivmde = 44f0e05811c183632282	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

description	pid	process	target process
PID 944 set thread context of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

pid	process
944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

description	pid	process	target process
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
PID 944 wrote to memory of 1328	944	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe	a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe

C:\Users\Admin\AppData\Local\Temp\a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
"C:\Users\Admin\AppData\Local\Temp\a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
C:\Users\Admin\AppData\Local\Temp\a6ae5732f76c1617346603ee00d04db16183318120e6ed2410efd4d36806995b.exe
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\profslo.dll

Filesize
14KB

MD5
d01b51ab4cd3edf3c2264be8890ef1fa

SHA1
5238c736eb305eaf2bc19d801cf5bc80fc5c8615

SHA256
93be9757ef0287e70f904c8ebcd9745906594c5732b89f3233b632db032549a5

SHA512
ec0be8be36fad8d2ced0554565627a6e28b0af4c5c5e0b1e49dfa225b773d54130c84794608bb93c84555bf0598edfa1bf27774c432713efb3f03ace9244e769

Download Submit
memory/944-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/944-65-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1328-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-64-0x0000000000401000-mapping.dmp

Download
memory/1328-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1328-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads