8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb

General

Target

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
Size

1.2MB
MD5

3cb6c82637c34036f154664c66680165
SHA1

681bd8a88866f1d700b70fabf1a6bd372c06f779
SHA256

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb
SHA512

38796eb5e945c19b4165169ac5eb3648a451d4323452c5fb9ca263d42dee87b0384e85e029663f812f1f57fd91df4b3eeb1f31a88b423cf84c29e88b23b12b99
SSDEEP

24576:VkEBSta9vNB1MTN2kmRCCTBMR6FrLoGOxTFYOx6NmiQdzmy+/E8:DBStSvJUzmECTBiqwxio6NZKW/n

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\sdra64.exe,"	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

Drops file in System32 directory 2 IoCs

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
File created	C:\Windows\SysWOW64\sdra64.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

description	pid	process	target process
PID 4528 set thread context of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

pid	process
5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

description pid process

Token: SeDebugPrivilege 5000 8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

pid process

4528 8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

description	pid	process
Token: SeDebugPrivilege	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

pid	process
4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe

description	pid	process	target process
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 4528 wrote to memory of 5000	4528	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe
PID 5000 wrote to memory of 616	5000	8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe	winlogon.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
"C:\Users\Admin\AppData\Local\Temp\8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe
"C:\Users\Admin\AppData\Local\Temp\8b218eabf5a71af489bde2b63a90459580a2f215bfe5c5e3f536cdf16aec95cb.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-180-0x000000003F2D0000-0x000000003F2E7000-memory.dmp

Filesize
92KB

Download
memory/616-215-0x000000003F3B0000-0x000000003F3C7000-memory.dmp

Filesize
92KB

Download
memory/616-235-0x000000003F430000-0x000000003F447000-memory.dmp

Filesize
92KB

Download
memory/616-230-0x000000003F410000-0x000000003F427000-memory.dmp

Filesize
92KB

Download
memory/616-185-0x000000003F2F0000-0x000000003F307000-memory.dmp

Filesize
92KB

Download
memory/616-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/616-150-0x000000003F210000-0x000000003F227000-memory.dmp

Filesize
92KB

Download
memory/616-190-0x000000003F310000-0x000000003F327000-memory.dmp

Filesize
92KB

Download
memory/616-160-0x000000003F250000-0x000000003F267000-memory.dmp

Filesize
92KB

Download
memory/616-165-0x000000003F270000-0x000000003F287000-memory.dmp

Filesize
92KB

Download
memory/616-170-0x000000003F290000-0x000000003F2A7000-memory.dmp

Filesize
92KB

Download
memory/616-175-0x000000003F2B0000-0x000000003F2C7000-memory.dmp

Filesize
92KB

Download
memory/616-225-0x000000003F3F0000-0x000000003F407000-memory.dmp

Filesize
92KB

Download
memory/616-220-0x000000003F3D0000-0x000000003F3E7000-memory.dmp

Filesize
92KB

Download
memory/616-155-0x000000003F230000-0x000000003F247000-memory.dmp

Filesize
92KB

Download
memory/616-195-0x000000003F330000-0x000000003F347000-memory.dmp

Filesize
92KB

Download
memory/616-200-0x000000003F350000-0x000000003F367000-memory.dmp

Filesize
92KB

Download
memory/616-205-0x000000003F370000-0x000000003F387000-memory.dmp

Filesize
92KB

Download
memory/616-210-0x000000003F390000-0x000000003F3A7000-memory.dmp

Filesize
92KB

Download
memory/4528-138-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4528-134-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5000-135-0x0000000000000000-mapping.dmp

Download
memory/5000-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5000-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5000-236-0x0000000000580000-0x000000000058F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads