7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b

General

Target

7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
Size

263KB
MD5

095b70ebc9664087574c65165dc5536a
SHA1

e82a32af30e8847b3629f07af373428964e7f732
SHA256

7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b
SHA512

d4578df8124246cf91db2a88e204097719af269d43fcb199e553779d52c8d6311fa0adacb22644317972b51d07ed7e8d2399f8c0e62319b4425695855531bef9
SSDEEP

3072:mwa0FSXxkcY93I6xeRSS05Im/vm8ud2U/ivJM7EATL5Bc9RuP6369u8cNzj:10XxEJARSS0tpa5/iiAATrARAp08czj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\7D3DF5~1.EXE,"	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7D3DF5~1.EXE"	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d29a8e7c = "£–}Aÿ~ó?\x0eÉ×áK\x02\x1cérL(5Ÿ9¤\u00a0–ù˜\x1cOÜ™Á¬/ç\bÚ`.\t\u0081º{öKJ¦¸#Ý¥jdX\tŒ¥Ønñ¥š-@À\u00a0Êø¡\x7fE#N¬\x1a\x12Âu\riÁ 3z§\x15#©SHgÁéÈíoqÎ¬&Té\\Œt\fÄÙÁô\|œ°HDDË²ð;¬tB(É£º€é©‹ôdäk²,\\Ä\x13a$ÓÛKLÊ£Äcü\x04Qø´;rÜ(˜L!ñ{Ê˜!û0€È\x13œ[àä³²\x13\x03dÜ¼É»‹\x1bÄt$¬\|DÑ©ë,»¤¬T#Šú\v’äÒ‹„4‹ ôSŒ\x1c#Ä`<IHä@ñB#´ó`\u0090ü\x020Ãl4kÓù+\|\x02[\u0090\x01Ðä›”ÚT”\x13¤\u00a0\u0090ÄX"	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7D3DF5~1.EXE"	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
Token: SeSecurityPrivilege	2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
Token: SeSecurityPrivilege	2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
Token: SeSecurityPrivilege	2020	7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe

C:\Users\Admin\AppData\Local\Temp\7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe
"C:\Users\Admin\AppData\Local\Temp\7d3df5a6c2962471a684c771d9469bd2305517f518f1639d76ea8e3c753c133b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/2020-56-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2020-57-0x0000000001F10000-0x0000000001FC2000-memory.dmp

Filesize
712KB

Download
memory/2020-58-0x0000000001F10000-0x0000000001FC2000-memory.dmp

Filesize
712KB

Download
memory/2020-59-0x0000000001F10000-0x0000000001FC2000-memory.dmp

Filesize
712KB

Download
memory/2020-61-0x0000000001F10000-0x0000000001FC2000-memory.dmp

Filesize
712KB

Download
memory/2020-62-0x0000000001F10000-0x0000000001FC2000-memory.dmp

Filesize
712KB

Download
memory/2020-64-0x0000000001F10000-0x0000000001FC2000-memory.dmp

Filesize
712KB

Download
memory/2020-65-0x0000000002530000-0x00000000025E8000-memory.dmp

Filesize
736KB

Download
memory/2020-66-0x0000000002530000-0x00000000025E8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads