Analysis
-
max time kernel
70s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 22:33
Static task
static1
Behavioral task
behavioral1
Sample
abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe
Resource
win10v2004-20220901-en
General
-
Target
abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe
-
Size
96KB
-
MD5
32aff54749d060b3cb09d0495b757507
-
SHA1
cf264cddab7f2475698df32390f354d6311d54c4
-
SHA256
abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc
-
SHA512
9604635aea88424800eb9032664aa272f9586ac577adc447234f962821677a4539cc0c52c5c48c161669892e18909d97977e8c0985b00a406526d8ce344f5b71
-
SSDEEP
1536:GR1+aJe1mgawzxsBub8PC1jIHxATVGjJKDZieF8vHf5hTuCjIHxATVG9+aJe1mgS:GR1+aJe1mgawzxsBub861jIHxowFKQ3O
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe C:\\Windows\\system32\\config\\Systemlog.exe" abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe -
Disables Task Manager via registry modification
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\Systemlog.exe abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe File opened for modification C:\Windows\SysWOW64\config\Systemlog.exe abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe File created C:\Windows\SysWOW64\winsetup.file abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe File opened for modification C:\Windows\SysWOW64\winsetup.file abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4564 wrote to memory of 3412 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe 84 PID 4564 wrote to memory of 3412 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe 84 PID 4564 wrote to memory of 3412 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe 84 PID 4564 wrote to memory of 4568 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe 85 PID 4564 wrote to memory of 4568 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe 85 PID 4564 wrote to memory of 4568 4564 abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe"C:\Users\Admin\AppData\Local\Temp\abf2fb21621c31d349078b286c787bd069d70fb591f8817bf76b89b6b95cabdc.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Notepad.exeNotepad2⤵PID:3412
-
-
C:\Windows\SysWOW64\Notepad.exeNotepad2⤵PID:4568
-