77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a

General

Target

77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Size

20KB
MD5

3d4d48683bf8f8baa1f605c2d66109f2
SHA1

0b7229e7cac0f77fd4a3f6ebd28f8d1e5484df3c
SHA256

77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a
SHA512

4b14f702852752724cc06d338d5028ce294426ce9a49d8158381fb524393b5b5dfb693366ff623a2f929778dc9471866eb6039276b9d61c15c5285b2afec5b88
SSDEEP

192:hTJH/Qjeg0VF2PdxP+qTUdXmZ52VhDmAEAJ:hdHXAP0hDmAEc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe

Modifies registry class 10 IoCs

Processes:

77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "cleanmgr.exe %1"	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "My Application"	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "MyApp"	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LogonUI.exe

description pid process

Token: SeShutdownPrivilege 684 LogonUI.exe
Token: SeShutdownPrivilege 684 LogonUI.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe

pid process

1492 77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe

description	pid	process
Token: SeShutdownPrivilege	684	LogonUI.exe
Token: SeShutdownPrivilege	684	LogonUI.exe

pid	process
1492	77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

csrss.exewinlogon.exe

description	pid	process	target process
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1672 wrote to memory of 684	1672	winlogon.exe	LogonUI.exe
PID 1672 wrote to memory of 684	1672	winlogon.exe	LogonUI.exe
PID 1672 wrote to memory of 684	1672	winlogon.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe
PID 1924 wrote to memory of 684	1924	csrss.exe	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe
"C:\Users\Admin\AppData\Local\Temp\77ecfc26899276ce125ce8920e0e4d8cb71b94dc8d6f887f7a7c886e307a5d8a.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1116

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-57-0x0000000000000000-mapping.dmp

Download
memory/684-58-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1116-56-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads