9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041

General

Target

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe
Size

1.0MB
MD5

b3808373acbf5cd33017d74a9d98fc97
SHA1

13ebf7d5b278d2cc5086418396be481cb63c0b5f
SHA256

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041
SHA512

94ee11f96e18bac9a2a3014d78e95eff4373781a2eae173a0fdb4f652a50022960faf5c09bd81bb8cd5c0b4ed354f580ab8120e744796991abf9ba729cd1dc37
SSDEEP

24576:fxtX01nIv47zxUkDmmfdECJCIkFniRksy5j69c:JtXqnRzyoJfdTJG8kl

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\System32\\config\\Journal\\winlogon.exe"	Trojan.exe

Executes dropped EXE 2 IoCs

Processes:

Brute.exeTrojan.exe

pid process

1948 Brute.exe
1436 Trojan.exe

pid	process
1948	Brute.exe
1436	Trojan.exe

Loads dropped DLL 2 IoCs

Processes:

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe

pid	process
1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe
1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe

Drops file in System32 directory 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Windows\System32\config\Journal\winlogon.exe	Trojan.exe
File opened for modification	C:\Windows\System32\config\Journal\winlogon.exe	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe

description	pid	process	target process
PID 1636 wrote to memory of 1948	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 1636 wrote to memory of 1948	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 1636 wrote to memory of 1948	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 1636 wrote to memory of 1948	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 1636 wrote to memory of 1436	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Trojan.exe
PID 1636 wrote to memory of 1436	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Trojan.exe
PID 1636 wrote to memory of 1436	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Trojan.exe
PID 1636 wrote to memory of 1436	1636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe
"C:\Users\Admin\AppData\Local\Temp\9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\Brute.exe
"C:\Users\Admin\AppData\Local\Temp\Brute.exe"
2⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:1436

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Brute.exe
Filesize
1.5MB

MD5
f9e45861c7f2bad01d08c61da0b74270

SHA1
12b6e0785320009df763d4d6351c52bd8de631c5

SHA256
5a64d18bea2573939fd21ec469fa4a2b58c0c455e8e00df0a5aeb2b5ad21941d

SHA512
d4194c0418ee156f0c844d67b0f9aa0f0c8583b3e108a5c04605f50624b2200e461210c48e4265fc1ebab79f76afcf9330e854489c1ef4c0901c50e9f262ed5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
11KB

MD5
56d7965758dc724dfe9c5b8afc9f4036

SHA1
76d1ffaf52f4c608a067f1143899235ac92a5c1b

SHA256
ebd926753914e013f94ded1f37c36e6ef0fa2418f69d36c836ca4148b4269d3f

SHA512
b7b9d7aee65ccba8023de9382fa6513938805c01a6878c8c397124f2d197f33ece7d4a8cb7ef402c20ffa9890a3df0d664a4c17dc05a5bb0dfc690af981e2edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
11KB

MD5
56d7965758dc724dfe9c5b8afc9f4036

SHA1
76d1ffaf52f4c608a067f1143899235ac92a5c1b

SHA256
ebd926753914e013f94ded1f37c36e6ef0fa2418f69d36c836ca4148b4269d3f

SHA512
b7b9d7aee65ccba8023de9382fa6513938805c01a6878c8c397124f2d197f33ece7d4a8cb7ef402c20ffa9890a3df0d664a4c17dc05a5bb0dfc690af981e2edd

Download Submit
\Users\Admin\AppData\Local\Temp\Brute.exe
Filesize
1.5MB

MD5
f9e45861c7f2bad01d08c61da0b74270

SHA1
12b6e0785320009df763d4d6351c52bd8de631c5

SHA256
5a64d18bea2573939fd21ec469fa4a2b58c0c455e8e00df0a5aeb2b5ad21941d

SHA512
d4194c0418ee156f0c844d67b0f9aa0f0c8583b3e108a5c04605f50624b2200e461210c48e4265fc1ebab79f76afcf9330e854489c1ef4c0901c50e9f262ed5e

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
11KB

MD5
56d7965758dc724dfe9c5b8afc9f4036

SHA1
76d1ffaf52f4c608a067f1143899235ac92a5c1b

SHA256
ebd926753914e013f94ded1f37c36e6ef0fa2418f69d36c836ca4148b4269d3f

SHA512
b7b9d7aee65ccba8023de9382fa6513938805c01a6878c8c397124f2d197f33ece7d4a8cb7ef402c20ffa9890a3df0d664a4c17dc05a5bb0dfc690af981e2edd

Download Submit
memory/1436-59-0x0000000000000000-mapping.dmp

Download
memory/1436-63-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1436-64-0x000007FEF3000000-0x000007FEF4096000-memory.dmp

Filesize
16.6MB

Download
memory/1436-65-0x0000000002086000-0x00000000020A5000-memory.dmp

Filesize
124KB

Download
memory/1636-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads