504aba9ffc85b963c92b2725c54b2f16e8dca913b5dbe2b7d75786eee3692a38

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

©ɱ/089.exe
Size

92KB
MD5

51c7d3f4106b5557f9bdfaab4267be80
SHA1

b5fc281eb69f928836b87a368c75a463d0e98c32
SHA256

9e8daaef763f7ba248c473550d75ec675fa789ed61ac8796dd5357d928fcccad
SHA512

c800da51283853f39c1a2498e9d6395c38afe81dedfd0fdb25e33cba8ef50b4897e084924ae7b6a2f864c4cb4456c470c372e01f2333d80336ac3fa9491a35c8
SSDEEP

768:PpOOOgbxjhv+ZddsrCnDXn2tPIlnXOREbGnFkHjbGyrIMWG5ErjS:PpOOOiGZHkCDG1SmF2jbxWGq6

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\ProgramData\\DisplaySwitch.exe"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DisplaySwitch = "\"C:\\ProgramData\\DisplaySwitch.exe\""	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

089.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 089.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

089.exe

pid process

1488 089.exe
1488 089.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

089.exe

description pid process

Token: SeDebugPrivilege 1488 089.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

089.exe

pid process

1488 089.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	089.exe

pid	process
1488	089.exe
1488	089.exe

description	pid	process
Token: SeDebugPrivilege	1488	089.exe

pid	process
1488	089.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

089.exe

description	pid	process	target process
PID 1488 wrote to memory of 1076	1488	089.exe	svchost.exe
PID 1488 wrote to memory of 1076	1488	089.exe	svchost.exe
PID 1488 wrote to memory of 1076	1488	089.exe	svchost.exe
PID 1488 wrote to memory of 1076	1488	089.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\©ɱ\089.exe
"C:\Users\Admin\AppData\Local\Temp\©ɱ\089.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1076

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-57-0x0000000000000000-mapping.dmp

Download
memory/1076-61-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1076-60-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1076-62-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1488-54-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/1488-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1488-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads