Overview

overview

10

Static

static

8cc1a23725...82.exe

windows7-x64

10

8cc1a23725...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 05:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8cc1a23725735f328834763c9884a015f7a0c0a7a887b0b0fcf660b638f92182.exe

  • Size

    83KB

  • MD5

    e3399966a1670483f5cf8f9b3aa614e4

  • SHA1

    52e33835e7b70838eaa77fa779b4b1f8c29028df

  • SHA256

    8cc1a23725735f328834763c9884a015f7a0c0a7a887b0b0fcf660b638f92182

  • SHA512

    4e08cf65d91a1af5afc3eb898a8648c1063afe5325cad5834525500f44419766b68ef641b29cad336699fa0c0cb75ea9106340b456f6b3b38c6eb1e208a66b24

  • SSDEEP

    1536:luACsyyYIyg0tWq/YtjTjIWr/qu9f6fd9u7GH9R14tc5F9WkmLUky/DEqHN:Ss0dWyYtfZ/vfaPdR14t+F9W0DEqHN

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
    • C:\Users\Admin\AppData\Local\Temp\8cc1a23725735f328834763c9884a015f7a0c0a7a887b0b0fcf660b638f92182.exe
      "C:\Users\Admin\AppData\Local\Temp\8cc1a23725735f328834763c9884a015f7a0c0a7a887b0b0fcf660b638f92182.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Users\Admin\AppData\Local\Temp\8cc1a23725735f328834763c9884a015f7a0c0a7a887b0b0fcf660b638f92182.exe
        "C:\Users\Admin\AppData\Local\Temp\8cc1a23725735f328834763c9884a015f7a0c0a7a887b0b0fcf660b638f92182.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2580

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/604-193-0x0000000032090000-0x00000000320A7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-199-0x00000000320B0000-0x00000000320C7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-229-0x0000000032150000-0x0000000032167000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-223-0x0000000032130000-0x0000000032147000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-217-0x0000000032110000-0x0000000032127000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-211-0x00000000320F0000-0x0000000032107000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-205-0x00000000320D0000-0x00000000320E7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-145-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-151-0x0000000031FB0000-0x0000000031FC7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-175-0x0000000032030000-0x0000000032047000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-163-0x0000000031FF0000-0x0000000032007000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-169-0x0000000032010000-0x0000000032027000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-157-0x0000000031FD0000-0x0000000031FE7000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-181-0x0000000032050000-0x0000000032067000-memory.dmp

            Filesize

            92KB

            Download

          • memory/604-187-0x0000000032070000-0x0000000032087000-memory.dmp

            Filesize

            92KB

            Download

          • memory/2580-133-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download

          • memory/2580-139-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download

          • memory/2580-137-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download

          • memory/2580-136-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download

          • memory/2580-135-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download

          • memory/2580-134-0x0000000000400000-0x0000000000417000-memory.dmp

            Filesize

            92KB

            Download