52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0

General

Target

52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
Size

271KB
MD5

6e5c770642e74febfbc609703959e39a
SHA1

2fe21b85b7c1652e5db461dcce6729410a529379
SHA256

52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0
SHA512

49cd9402c45ca89cba868602badae53b2a5db7aad60270b4dd516aa3b47685ab70c036c44c55ec6bf64763bfb468292c4643bf71d83be09ca9cd37dac8986a3b
SSDEEP

6144:V6Y4SDmnkDTrYCL2th1i4XPW42cglluj4bQpnofsn:V6Y4SDmnkoLi4+/f8Mbyo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\52979F~1.EXE,"	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\52979F~1.EXE"	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fea45473 = "Â^:,wtc2\"\u00a0;DÇõ¯°¬iŠ•÷\x10\x10€“èW]U8$áQe\x1b#\x12éêº\u00adb\x02\x18¡Gj_\x1fªëÓŽÜA\|7«ñÚ¥”Cžë¹ºEI?à™§Š_¤æ“•™%a\x16öÀ‡§oòd˜»Ç‘ƒ\ná\x191\x19ä{s\x174¹‡óaÛ‡\\\f\u0081§/?\x0f+\t¬´\x03\|WÓ4´vÉÛ«!1ÙqkSÃÓæéq)Qùv\x069,io\x11FŸ\asÁ©¼É9þÙ\vÎ†¡9\x19ÉLÁìÎy©áY‘ëÃ‹Lži\x01ÜI\x1e‘\vþÃŽóI‰¼lÁá§Û\fÙ/”Y·q\x01Q[;ä\x06œÜ9ÁÓ\x04\x13Ù‹¿YÞþ>é¼”ÙQNŒÙnû™\|\x14Ÿa\u0081ÙŒì¬áœg\f\tüÎÓ\x0f"	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\52979F~1.EXE"	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
Token: SeSecurityPrivilege	1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
Token: SeSecurityPrivilege	1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
Token: SeSecurityPrivilege	1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1112	52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe

C:\Users\Admin\AppData\Local\Temp\52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe
"C:\Users\Admin\AppData\Local\Temp\52979f4467861dfa2bb5226b7cd02780db0af0c60e7bce157538ff1090f073b0.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1112-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/1112-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1112-59-0x00000000020A0000-0x0000000002152000-memory.dmp

Filesize
712KB

Download
memory/1112-58-0x00000000020A0000-0x0000000002152000-memory.dmp

Filesize
712KB

Download
memory/1112-60-0x00000000020A0000-0x0000000002152000-memory.dmp

Filesize
712KB

Download
memory/1112-63-0x00000000020A0000-0x0000000002152000-memory.dmp

Filesize
712KB

Download
memory/1112-62-0x00000000020A0000-0x0000000002152000-memory.dmp

Filesize
712KB

Download
memory/1112-65-0x00000000020A0000-0x0000000002152000-memory.dmp

Filesize
712KB

Download
memory/1112-66-0x00000000025A0000-0x0000000002658000-memory.dmp

Filesize
736KB

Download
memory/1112-67-0x00000000025A0000-0x0000000002658000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads