0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa

Analysis

max time kernel
107s
max time network
127s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
Size

51KB
MD5

c17e82db572e189e68bb78c6b768ef01
SHA1

f34ba7ad61d32c38a8c8f984b045e7fddf87880b
SHA256

0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa
SHA512

a733cdec21576fae5019f8568a3acfb5f3a98df0c1002103c5bdc601151f77228f93a4e642b38afb8736d968ade1b6f5392006d459cb42ba861af8cef361ac94
SSDEEP

1536:1B77777J77c77c77c71S1XeilJIr96B77777J77c77c77c7QwurRlKuXp0r:1B77777J77c77c77c71KblJIr96B777k

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\AAFAB4.exe\""	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAFAB4.exe = "C:\\Windows\\AAFAB4.exe"	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AAFAB4.exe	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
File opened for modification	C:\Windows\AAFAB4QQSQQZ.exe	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1780	TASKKILL.exe
572	TASKKILL.exe
1276	TASKKILL.exe
948	TASKKILL.exe
1712	TASKKILL.exe
1064	TASKKILL.exe
1328	TASKKILL.exe
1456	TASKKILL.exe
1356	TASKKILL.exe
2032	TASKKILL.exe
840	TASKKILL.exe
1368	TASKKILL.exe
628	TASKKILL.exe
1048	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	TASKKILL.exe
Token: SeDebugPrivilege	2032	TASKKILL.exe
Token: SeDebugPrivilege	948	TASKKILL.exe
Token: SeDebugPrivilege	1276	TASKKILL.exe
Token: SeDebugPrivilege	840	TASKKILL.exe
Token: SeDebugPrivilege	1328	TASKKILL.exe
Token: SeDebugPrivilege	1456	TASKKILL.exe
Token: SeDebugPrivilege	1048	TASKKILL.exe
Token: SeDebugPrivilege	572	TASKKILL.exe
Token: SeDebugPrivilege	1368	TASKKILL.exe
Token: SeDebugPrivilege	1780	TASKKILL.exe
Token: SeDebugPrivilege	628	TASKKILL.exe
Token: SeDebugPrivilege	1064	TASKKILL.exe
Token: SeDebugPrivilege	1712	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 948	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	28
PID 1952 wrote to memory of 948	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	28
PID 1952 wrote to memory of 948	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	28
PID 1952 wrote to memory of 948	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	28
PID 1952 wrote to memory of 1712	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	29
PID 1952 wrote to memory of 1712	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	29
PID 1952 wrote to memory of 1712	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	29
PID 1952 wrote to memory of 1712	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	29
PID 1952 wrote to memory of 572	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	31
PID 1952 wrote to memory of 572	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	31
PID 1952 wrote to memory of 572	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	31
PID 1952 wrote to memory of 572	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	31
PID 1952 wrote to memory of 1276	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	33
PID 1952 wrote to memory of 1276	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	33
PID 1952 wrote to memory of 1276	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	33
PID 1952 wrote to memory of 1276	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	33
PID 1952 wrote to memory of 1064	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	35
PID 1952 wrote to memory of 1064	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	35
PID 1952 wrote to memory of 1064	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	35
PID 1952 wrote to memory of 1064	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	35
PID 1952 wrote to memory of 2032	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	36
PID 1952 wrote to memory of 2032	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	36
PID 1952 wrote to memory of 2032	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	36
PID 1952 wrote to memory of 2032	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	36
PID 1952 wrote to memory of 1780	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	39
PID 1952 wrote to memory of 1780	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	39
PID 1952 wrote to memory of 1780	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	39
PID 1952 wrote to memory of 1780	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	39
PID 1952 wrote to memory of 840	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	41
PID 1952 wrote to memory of 840	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	41
PID 1952 wrote to memory of 840	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	41
PID 1952 wrote to memory of 840	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	41
PID 1952 wrote to memory of 1368	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	43
PID 1952 wrote to memory of 1368	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	43
PID 1952 wrote to memory of 1368	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	43
PID 1952 wrote to memory of 1368	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	43
PID 1952 wrote to memory of 628	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	45
PID 1952 wrote to memory of 628	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	45
PID 1952 wrote to memory of 628	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	45
PID 1952 wrote to memory of 628	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	45
PID 1952 wrote to memory of 1328	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	47
PID 1952 wrote to memory of 1328	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	47
PID 1952 wrote to memory of 1328	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	47
PID 1952 wrote to memory of 1328	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	47
PID 1952 wrote to memory of 1456	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	49
PID 1952 wrote to memory of 1456	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	49
PID 1952 wrote to memory of 1456	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	49
PID 1952 wrote to memory of 1456	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	49
PID 1952 wrote to memory of 1048	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	52
PID 1952 wrote to memory of 1048	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	52
PID 1952 wrote to memory of 1048	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	52
PID 1952 wrote to memory of 1048	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	52
PID 1952 wrote to memory of 1356	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	53
PID 1952 wrote to memory of 1356	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	53
PID 1952 wrote to memory of 1356	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	53
PID 1952 wrote to memory of 1356	1952	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	53

C:\Users\Admin\AppData\Local\Temp\0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
"C:\Users\Admin\AppData\Local\Temp\0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads