74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3

Analysis

max time kernel
240s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 22:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe
Size

42KB
MD5

39c92e6b3af8883476cb58259e8f625b
SHA1

a6b7c11c2670d3b4d60bbb35edfbd0966f659686
SHA256

74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3
SHA512

f785783f71a6f637217ffd31339af0c9494508d85a91ed13d96b9727724853d56311668e72458c7fb8ba85e6b7834b80321518a0df77282443f6e65123c4fa88
SSDEEP

768:1B77777J77c77c77c7q8S1XeSltlNvIrHsK0Lp/K9KcKlhShlYcVLt6B77777J75:1B77777J77c77c77c71S1XeilJIr96Br

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\26D6B34.exe\""	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\26D6B34.exe = "C:\\Windows\\26D6B34.exe"	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\26D6B34.exe	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe
File opened for modification	C:\Windows\26D6B34QQSRTT.exe	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
904	TASKKILL.exe
1856	TASKKILL.exe
704	TASKKILL.exe
1216	TASKKILL.exe
1680	TASKKILL.exe
1768	TASKKILL.exe
840	TASKKILL.exe
1708	TASKKILL.exe
1132	TASKKILL.exe
1304	TASKKILL.exe
1804	TASKKILL.exe
844	TASKKILL.exe
1660	TASKKILL.exe
1348	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	TASKKILL.exe
Token: SeDebugPrivilege	1856	TASKKILL.exe
Token: SeDebugPrivilege	1660	TASKKILL.exe
Token: SeDebugPrivilege	1804	TASKKILL.exe
Token: SeDebugPrivilege	844	TASKKILL.exe
Token: SeDebugPrivilege	704	TASKKILL.exe
Token: SeDebugPrivilege	1304	TASKKILL.exe
Token: SeDebugPrivilege	1768	TASKKILL.exe
Token: SeDebugPrivilege	1708	TASKKILL.exe
Token: SeDebugPrivilege	904	TASKKILL.exe
Token: SeDebugPrivilege	1680	TASKKILL.exe
Token: SeDebugPrivilege	1216	TASKKILL.exe
Token: SeDebugPrivilege	1348	TASKKILL.exe
Token: SeDebugPrivilege	1132	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 904	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	28
PID 668 wrote to memory of 904	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	28
PID 668 wrote to memory of 904	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	28
PID 668 wrote to memory of 904	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	28
PID 668 wrote to memory of 1856	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	30
PID 668 wrote to memory of 1856	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	30
PID 668 wrote to memory of 1856	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	30
PID 668 wrote to memory of 1856	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	30
PID 668 wrote to memory of 1304	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	31
PID 668 wrote to memory of 1304	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	31
PID 668 wrote to memory of 1304	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	31
PID 668 wrote to memory of 1304	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	31
PID 668 wrote to memory of 1768	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	32
PID 668 wrote to memory of 1768	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	32
PID 668 wrote to memory of 1768	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	32
PID 668 wrote to memory of 1768	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	32
PID 668 wrote to memory of 1804	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	35
PID 668 wrote to memory of 1804	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	35
PID 668 wrote to memory of 1804	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	35
PID 668 wrote to memory of 1804	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	35
PID 668 wrote to memory of 844	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	37
PID 668 wrote to memory of 844	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	37
PID 668 wrote to memory of 844	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	37
PID 668 wrote to memory of 844	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	37
PID 668 wrote to memory of 1660	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	39
PID 668 wrote to memory of 1660	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	39
PID 668 wrote to memory of 1660	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	39
PID 668 wrote to memory of 1660	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	39
PID 668 wrote to memory of 704	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	41
PID 668 wrote to memory of 704	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	41
PID 668 wrote to memory of 704	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	41
PID 668 wrote to memory of 704	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	41
PID 668 wrote to memory of 840	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	43
PID 668 wrote to memory of 840	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	43
PID 668 wrote to memory of 840	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	43
PID 668 wrote to memory of 840	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	43
PID 668 wrote to memory of 1708	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	44
PID 668 wrote to memory of 1708	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	44
PID 668 wrote to memory of 1708	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	44
PID 668 wrote to memory of 1708	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	44
PID 668 wrote to memory of 1216	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	47
PID 668 wrote to memory of 1216	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	47
PID 668 wrote to memory of 1216	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	47
PID 668 wrote to memory of 1216	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	47
PID 668 wrote to memory of 1680	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	49
PID 668 wrote to memory of 1680	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	49
PID 668 wrote to memory of 1680	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	49
PID 668 wrote to memory of 1680	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	49
PID 668 wrote to memory of 1348	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	51
PID 668 wrote to memory of 1348	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	51
PID 668 wrote to memory of 1348	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	51
PID 668 wrote to memory of 1348	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	51
PID 668 wrote to memory of 1132	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	53
PID 668 wrote to memory of 1132	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	53
PID 668 wrote to memory of 1132	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	53
PID 668 wrote to memory of 1132	668	74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe	53

C:\Users\Admin\AppData\Local\Temp\74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe
"C:\Users\Admin\AppData\Local\Temp\74d04ff771d1e435e6a1fedd79bd823cff4e934fedf404f856a5136572bcb4c3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads