de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856

General

Target

de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
Size

252KB
MD5

3381a8362587384e210c87989baf1c63
SHA1

7629ab5fb235793248f5574d81f0e0f53113dd4d
SHA256

de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856
SHA512

905f0b211370f604d9c9c5b6844c68dd4a4c9b151482201afbf1241ee4941f887afe0bb4642d429ac03f6f3df0459fe41d86fe9a67c2cad23b5c79732fbf49fd
SSDEEP

6144:E1rwii7st1Y+S6pYQCR+gs74dVGwG+oISthMZzLkV:ET+sH4wgsLMFkV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DE5657~1.EXE,"	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DE5657~1.EXE"	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DE5657~1.EXE"	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\22d540d9 = "H\x19DÇv\x05\bãŽ‰’\b\x17ÀœÏK^Äñ\x1aÛ®¦4“’zÚÜMóÝŽ¢ð\u00a0”…\x19ÀZz\x1e}‚\v\x05ÒË.×\x19ÌxZé”'9~+¸à·êØ?í”\\Q³¾ÙÏ÷ž‰â\"ßñ/¬Ê¼E1S7Ÿ\r>¯æ\x06ü\u0090ÇÂ/@v¶fJÒ®êƒ½½¦Ujº0Z{»Úˆê}þÐ^ÆŽ==îšnØ{5U«h\x02þv2XÚ«\x10îãàöÖÓ»ÎS=:\u00adµz\búpõ®>ªˆ2ò\x15v26ŽÈòh2¨£›®S=fÖö~ØVb®ÖÚ–jx¶\x12~ÖØžS\x02RÍÅƒ\u009d²¢«.&\u00a0êKÃ;æ¦ˆø²>þ.\u0090ÞbŽ`\x1dÚõCòÖÀ~ž\x10’í†\x12¦ÒÐã\"JæŠ–"	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
Token: SeSecurityPrivilege	1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
Token: SeSecurityPrivilege	1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
Token: SeSecurityPrivilege	1140	de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe

C:\Users\Admin\AppData\Local\Temp\de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe
"C:\Users\Admin\AppData\Local\Temp\de56575a24381395ca9bb074e7830fdd0a64f368caa0200eab60b3de1266d856.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1140-55-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1140-56-0x00000000020C0000-0x000000000210C000-memory.dmp

Filesize
304KB

Download
memory/1140-57-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1140-59-0x00000000024E0000-0x0000000002592000-memory.dmp

Filesize
712KB

Download
memory/1140-58-0x00000000024E0000-0x0000000002592000-memory.dmp

Filesize
712KB

Download
memory/1140-60-0x00000000024E0000-0x0000000002592000-memory.dmp

Filesize
712KB

Download
memory/1140-62-0x00000000024E0000-0x0000000002592000-memory.dmp

Filesize
712KB

Download
memory/1140-63-0x00000000024E0000-0x0000000002592000-memory.dmp

Filesize
712KB

Download
memory/1140-65-0x00000000024E0000-0x0000000002592000-memory.dmp

Filesize
712KB

Download
memory/1140-66-0x0000000002770000-0x0000000002828000-memory.dmp

Filesize
736KB

Download
memory/1140-67-0x0000000002770000-0x0000000002828000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads