aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25

General

Target

aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
Size

293KB
MD5

1c827b23f806d56d6d50b214b249a3be
SHA1

a04087fc07fe2398e9fdb5c4473d3c8fd9e0a567
SHA256

aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25
SHA512

1dd34c8203c1c8d3acdde0e36ccea78b8b8cf2948d30a705d55db7eae208166e63741dd9e55dde0ef3c08be230d04046dd27dffdcd6cc49101bcc4e6dddbad9c
SSDEEP

6144:gNwYOYeJpZ15X/wVaTM86j0XaFGLcNYvE26SMM6glM9cOeWbOmEx:cOYeJ/cETYj0XasINjhKMnJ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\AEF9A0~1.EXE,"	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AEF9A0~1.EXE"	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9be1e5cd = "ÃO¦þ¢W€\x06Á°?ÂNól¦-©yxw0õt\x16ˆ\x02c7´L7q}\"Ê×\x1b;\x7f'ý«\"á\x01˜¼=\tHÙUÛ\u0081ïà…ƒ‰a?Aºt&z\x05‚!©\x1a8maØc”cN‹Ý‚*ÜšœA@5€ð\x0fæœ$\x13ºKÇS\\…yñëh×q“3)ª\viÁ’ÐÈÑZ[u«…zè¡ýÙ\ae±›…2áÏ±‡J\x17µ%€\x01\u0081YÒÙ\u0090rß5[mûùÿiê‹±ñ‰j\x18X//ûËãé\x17€GQëõâ¹±UŸk_\u0081ûé\x1bQ;?ñ¥\x1d\u0090\x03H\x15q¥Û\u008f_³‘¹€«#\rPÓùK÷9Z\x12!ý3òÑ1\"‘sç\x03\x10g³¸²p\x1b±Ð¡z3»©Xê)Úñ)‘ñ]‰Paç\x11"	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AEF9A0~1.EXE"	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
Token: SeSecurityPrivilege	904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
Token: SeSecurityPrivilege	904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
Token: SeSecurityPrivilege	904	aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe

C:\Users\Admin\AppData\Local\Temp\aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe
"C:\Users\Admin\AppData\Local\Temp\aef9a06f43b8b9edb3ff3be008a6d55104014194891ecc2b8c65c8e037275e25.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/904-55-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/904-56-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/904-57-0x00000000027E0000-0x0000000002892000-memory.dmp

Filesize
712KB

Download
memory/904-59-0x00000000027E0000-0x0000000002892000-memory.dmp

Filesize
712KB

Download
memory/904-58-0x00000000027E0000-0x0000000002892000-memory.dmp

Filesize
712KB

Download
memory/904-62-0x00000000027E0000-0x0000000002892000-memory.dmp

Filesize
712KB

Download
memory/904-61-0x00000000027E0000-0x0000000002892000-memory.dmp

Filesize
712KB

Download
memory/904-64-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/904-65-0x00000000027E0000-0x0000000002892000-memory.dmp

Filesize
712KB

Download
memory/904-66-0x0000000002DD0000-0x0000000002E88000-memory.dmp

Filesize
736KB

Download
memory/904-67-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/904-68-0x0000000002DD0000-0x0000000002E88000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads