0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa

Analysis

max time kernel
145s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
Size

51KB
MD5

c17e82db572e189e68bb78c6b768ef01
SHA1

f34ba7ad61d32c38a8c8f984b045e7fddf87880b
SHA256

0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa
SHA512

a733cdec21576fae5019f8568a3acfb5f3a98df0c1002103c5bdc601151f77228f93a4e642b38afb8736d968ade1b6f5392006d459cb42ba861af8cef361ac94
SSDEEP

1536:1B77777J77c77c77c71S1XeilJIr96B77777J77c77c77c7QwurRlKuXp0r:1B77777J77c77c77c71KblJIr96B777k

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\12E5B84.exe\""	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12E5B84.exe = "C:\\Windows\\12E5B84.exe"	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\12E5B84.exe	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
File opened for modification	C:\Windows\12E5B84QQSQRW.exe	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1356	TASKKILL.exe
4944	TASKKILL.exe
372	TASKKILL.exe
2172	TASKKILL.exe
1444	TASKKILL.exe
4992	TASKKILL.exe
5096	TASKKILL.exe
1108	TASKKILL.exe
4852	TASKKILL.exe
4072	TASKKILL.exe
2464	TASKKILL.exe
5080	TASKKILL.exe
5052	TASKKILL.exe
4604	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	TASKKILL.exe
Token: SeDebugPrivilege	1444	TASKKILL.exe
Token: SeDebugPrivilege	5080	TASKKILL.exe
Token: SeDebugPrivilege	1356	TASKKILL.exe
Token: SeDebugPrivilege	2464	TASKKILL.exe
Token: SeDebugPrivilege	1108	TASKKILL.exe
Token: SeDebugPrivilege	4992	TASKKILL.exe
Token: SeDebugPrivilege	5052	TASKKILL.exe
Token: SeDebugPrivilege	4604	TASKKILL.exe
Token: SeDebugPrivilege	4852	TASKKILL.exe
Token: SeDebugPrivilege	4944	TASKKILL.exe
Token: SeDebugPrivilege	372	TASKKILL.exe
Token: SeDebugPrivilege	2172	TASKKILL.exe
Token: SeDebugPrivilege	5096	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1356	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	79
PID 1200 wrote to memory of 1356	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	79
PID 1200 wrote to memory of 1356	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	79
PID 1200 wrote to memory of 1108	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	80
PID 1200 wrote to memory of 1108	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	80
PID 1200 wrote to memory of 1108	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	80
PID 1200 wrote to memory of 4852	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	87
PID 1200 wrote to memory of 4852	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	87
PID 1200 wrote to memory of 4852	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	87
PID 1200 wrote to memory of 1444	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	82
PID 1200 wrote to memory of 1444	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	82
PID 1200 wrote to memory of 1444	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	82
PID 1200 wrote to memory of 4604	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	84
PID 1200 wrote to memory of 4604	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	84
PID 1200 wrote to memory of 4604	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	84
PID 1200 wrote to memory of 372	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	104
PID 1200 wrote to memory of 372	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	104
PID 1200 wrote to memory of 372	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	104
PID 1200 wrote to memory of 4072	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	89
PID 1200 wrote to memory of 4072	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	89
PID 1200 wrote to memory of 4072	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	89
PID 1200 wrote to memory of 2464	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	90
PID 1200 wrote to memory of 2464	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	90
PID 1200 wrote to memory of 2464	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	90
PID 1200 wrote to memory of 4944	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	101
PID 1200 wrote to memory of 4944	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	101
PID 1200 wrote to memory of 4944	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	101
PID 1200 wrote to memory of 5096	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	99
PID 1200 wrote to memory of 5096	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	99
PID 1200 wrote to memory of 5096	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	99
PID 1200 wrote to memory of 5080	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	92
PID 1200 wrote to memory of 5080	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	92
PID 1200 wrote to memory of 5080	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	92
PID 1200 wrote to memory of 5052	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	93
PID 1200 wrote to memory of 5052	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	93
PID 1200 wrote to memory of 5052	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	93
PID 1200 wrote to memory of 4992	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	96
PID 1200 wrote to memory of 4992	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	96
PID 1200 wrote to memory of 4992	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	96
PID 1200 wrote to memory of 2172	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	94
PID 1200 wrote to memory of 2172	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	94
PID 1200 wrote to memory of 2172	1200	0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe	94

C:\Users\Admin\AppData\Local\Temp\0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
"C:\Users\Admin\AppData\Local\Temp\0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads