77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1

General

Target

77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Size

39KB
MD5

ec97bc04d36e83ce5ed092bf156878f6
SHA1

e5fce1e8277db9dcf9f11559c0c165f0d3b124f8
SHA256

77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1
SHA512

9852daca6286340ca4634a8f0a26a463415bfa81c3632de99894c8e8c340e3bdfcfa1ad5193246cfb31781bcf913a08f7b9d2f90863c1323f43761ef2b4a4a61
SSDEEP

768:k9Bn2RpxSECWHVYgnqk6i4WUGCmaflH6t8VHjVnb/0w:kDn23xSvAVznq9i4HGChY0jVnjD

Score

10^/10

Modifies WinLogon for persistence 2 TTPs 1 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\winlogon32.exe"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smss32.exe	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
File opened for modification	C:\Windows\SysWOW64\smss32.exe	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
File created	C:\Windows\SysWOW64\winlogon32.exe	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 5 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\PhishingFilter	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1"	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	77eef7ddc2580e0ad42d64d7ca507263a18523cfaf739fece662131a94eb9aa1.exe