Overview

overview

10

Static

static

5d82ffb798...bf.exe

windows7-x64

10

5d82ffb798...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe

  • Size

    31.8MB

  • MD5

    34e165db7781fdb98ffbdb89950013f9

  • SHA1

    b2bc9495bb13ee35f4b07ccaf1ba706e05f50f7c

  • SHA256

    5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf

  • SHA512

    fdc5217dad8a140fe4e2fc7db167638ef9f60b4de441803d07afc04371119dc8243650d62ab89d45a866135df08319115b680c4b0004bd6ae5446cc4dff80153

  • SSDEEP

    393216:qyJXk2mMuOjiYOj257OUF3og0zHie8+ZqUCd1CPwDv3uFKhBrqW4tLFDoe:XJXk2/I29XF3og0Oe3Llt

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe
    "C:\Users\Admin\AppData\Local\Temp\5d82ffb7987b1280057f4aba5768f1503c9332ecff850452697ddf5c603316bf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\Local\Temp\kiosk_net.dll
      C:\Users\Admin\AppData\Local\Temp\kiosk_net.dll
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kiosk_net.dll
    Filesize

    9.5MB

    MD5

    4235a683791056699f2e1d0cc3e66f36

    SHA1

    50bd581079e1e6c90d4d81bab3e484a662b96b0d

    SHA256

    5bad8d0e2b48f45585fc8e1e2f7a551bd1cfccc3d259ce09c0c49003f66ace33

    SHA512

    7c836fe1dc4ab9d8bd5feefc16cd6514fae23d38c34a741b02c5ea7deacb2c1d69de5c13e2173183b65254766ef4c6da6631ffd95caf5a862f582144c95d1d13

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kiosk_net.dll
    Filesize

    9.5MB

    MD5

    4235a683791056699f2e1d0cc3e66f36

    SHA1

    50bd581079e1e6c90d4d81bab3e484a662b96b0d

    SHA256

    5bad8d0e2b48f45585fc8e1e2f7a551bd1cfccc3d259ce09c0c49003f66ace33

    SHA512

    7c836fe1dc4ab9d8bd5feefc16cd6514fae23d38c34a741b02c5ea7deacb2c1d69de5c13e2173183b65254766ef4c6da6631ffd95caf5a862f582144c95d1d13

    Download Submit
  • memory/5112-132-0x0000000000000000-mapping.dmp
    Download
  • memory/5112-135-0x0000000000400000-0x0000000002E54000-memory.dmp
    Filesize

    42.3MB

    Download