de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620

General

Target

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
Size

194KB
MD5

9c8cd9cf5a547edf7a2f3ae2505917ca
SHA1

12b19be467e056bdbfdc0e8a014656b7f2977932
SHA256

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620
SHA512

17c0f36b0ef3bc2fd50656f498dd576da26df92f6940458304bb48ec9ed5b85ac34132977e040c32553247cb63e495dcd3343fd1017ec959544775de3c957b6d
SSDEEP

3072:HNaP3zllRFUTp7YLhc/fNxyKn4MyvHlxFILjT:YP3JlRFUFUhcHZGHlU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-92181681\\1887g3dq8.exe"	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\6p28g7dq8 = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-92181681\\1887g3dq8.exe"	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

description	ioc	process
File created	C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-92181681\Desktop.ini	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-92181681\\1887g3dq8.exe"	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

description	pid	process	target process
PID 932 set thread context of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exede7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

pid	process
932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
892	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exede7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe

description	pid	process	target process
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 932 wrote to memory of 892	932	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
PID 892 wrote to memory of 1208	892	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	Explorer.EXE
PID 892 wrote to memory of 1208	892	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	Explorer.EXE
PID 892 wrote to memory of 1208	892	de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
  "C:\Users\Admin\AppData\Local\Temp\de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe
    "C:\Users\Admin\AppData\Local\Temp\de7a44771168e6be8c5c3bc90b3755eb5a5f4e059a65b648a3b85a671bf43620.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Modifies WinLogon
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/892-61-0x0000000000401920-mapping.dmp

Download
memory/892-63-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/932-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/932-64-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads