df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88

Analysis

max time kernel
148s
max time network
193s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
Size

259KB
MD5

10bb77f4347a8180f3069ec4a1d3bb00
SHA1

77663841912b9ecdefb187acb04fb1faf09c05f8
SHA256

df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88
SHA512

fe5188ea3f4be4ccafb6f67246deacf6b60dcc1d34f0dab82d23737913ac888a42717ede5cc1c1e69dea18edc5894b57c64feb3829f56418daae36efaf732b71
SSDEEP

6144:Wqkpl9HX8DqrItDpSuXgUJhS19Guxox5F7OyEPk/aEMBeqrNVwPm7ygSTD:WlD38Dqr6ZvJh2Gu8myckJ0eqhWrfTD

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DF5AB2~1.EXE,"	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DF5AB2~1.EXE"	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DF5AB2~1.EXE"	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\77d84817 = "F\x05\x7f\x02æ{‰†9lbe:Ö©Ò€õ»úséSã¸~nÁ'¡(P\u00adçß9F·I\x02O#Ø\b_”)D”Æ\x12šh_?=‰5t;\vÂ;Õ—šcøE¡åMÇÒíe\x01cíH_þÙ#~Û!e“ÙÙU\x05„æ¿Öµ\u0090u\a%Ë67MÆ6\x7f0?·ëO{«èep½€~Þ›G•^¯Û^0Øn\u008f/-7Ç/¯æí·_ßØŸ§o»Æ\x18ÿŸVh8È[Mo…\u008f÷"	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
Token: SeSecurityPrivilege	1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
Token: SeSecurityPrivilege	1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
Token: SeSecurityPrivilege	1584	df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe

C:\Users\Admin\AppData\Local\Temp\df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe
"C:\Users\Admin\AppData\Local\Temp\df5ab223f34a29c57df0b260bfdefe25cc01bc75321c6e93269ef2c1aee38b88.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1584-55-0x0000000000400000-0x00000000006F8000-memory.dmp

Filesize
3.0MB

Download
memory/1584-56-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/1584-57-0x0000000000400000-0x00000000006F8000-memory.dmp

Filesize
3.0MB

Download
memory/1584-58-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/1584-60-0x0000000002550000-0x0000000002602000-memory.dmp

Filesize
712KB

Download
memory/1584-59-0x0000000002550000-0x0000000002602000-memory.dmp

Filesize
712KB

Download
memory/1584-61-0x0000000002550000-0x0000000002602000-memory.dmp

Filesize
712KB

Download
memory/1584-63-0x0000000002550000-0x0000000002602000-memory.dmp

Filesize
712KB

Download
memory/1584-64-0x0000000002550000-0x0000000002602000-memory.dmp

Filesize
712KB

Download
memory/1584-66-0x0000000002550000-0x0000000002602000-memory.dmp

Filesize
712KB

Download
memory/1584-67-0x0000000002710000-0x00000000027C8000-memory.dmp

Filesize
736KB

Download
memory/1584-68-0x0000000002710000-0x00000000027C8000-memory.dmp

Filesize
736KB

Download