b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe
Size

213KB
MD5

c891fb2c35cb2a1ebd19f877ea058293
SHA1

616d8bbc62c613049e474a5c84ee498ba3005bcc
SHA256

b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a
SHA512

815aaaf96cc40388ba8491674e61a1ea30c790aa13671796cb6dfb67e61817e0f575e82fb1238d59caeae4ef213dcae88efb06c2e66cad002199c3bee85c8c3c
SSDEEP

3072:MRb3lRU5tngTkdny5g4fX6y9c0qKyBQJvU4MrHDqeXsGKLu8F3HOwE2U:607wkd6g4fX6Qc8yeNUhrpXsGKLu8Nr

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\template.xml"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exesvchost.exe

pid process

5056 b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe
1672 svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe

pid	process
5056	b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe
5056	b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe

C:\Users\Admin\AppData\Local\Temp\b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe
"C:\Users\Admin\AppData\Local\Temp\b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: MapViewOfSection
PID:5056

C:\Windows\syswow64\svchost.exe
"C:\Windows\syswow64\svchost.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-137-0x00007FFF9A390000-0x00007FFF9A585000-memory.dmp

Filesize
2.0MB

Download
memory/760-138-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/760-139-0x00007FFF9A390000-0x00007FFF9A585000-memory.dmp

Filesize
2.0MB

Download
memory/5056-132-0x0000000002650000-0x0000000002751000-memory.dmp

Filesize
1.0MB

Download
memory/5056-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-134-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/5056-135-0x0000000002650000-0x0000000002751000-memory.dmp

Filesize
1.0MB

Download
memory/5056-136-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download

pid	process
5056	b1fa12e105c978c84bfd398fcc6549d602fd9986f4af3895cf5073a06187243a.exe
1672	svchost.exe