a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
Size

65KB
MD5

af4488180d830e4c60fb86051ebeb8e8
SHA1

48b09d63e2f9640877847869981834bc23f859c3
SHA256

a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a
SHA512

2ea1ec57dfc98d1a519668ed29a17dda5728f72c222b9ad8be8959165401cff395ea967ac1c43dc38ee6956eccfb7d97f23efa19ffbe9d00c37847d27f17edef
SSDEEP

1536:ATpxO9WYZjfMLaqtFzzu72HQz0aAO7kdK/8g2:X/bvqK2OYdTR

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\msconfig.dat"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
460	explorer.exe
1344	Explorer.EXE
1700	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1344	Explorer.EXE
1344	Explorer.EXE
1344	Explorer.EXE
1344	Explorer.EXE
304	ctfmon.exe
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1344	Explorer.EXE
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	svchost.exe
1700	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1880 wrote to memory of 1972	1880	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	27
PID 1972 wrote to memory of 460	1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	28
PID 1972 wrote to memory of 460	1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	28
PID 1972 wrote to memory of 460	1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	28
PID 1972 wrote to memory of 460	1972	a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe	28
PID 460 wrote to memory of 1344	460	explorer.exe	17
PID 1344 wrote to memory of 1700	1344	Explorer.EXE	29
PID 1344 wrote to memory of 1700	1344	Explorer.EXE	29
PID 1344 wrote to memory of 1700	1344	Explorer.EXE	29
PID 1344 wrote to memory of 1700	1344	Explorer.EXE	29
PID 1344 wrote to memory of 1700	1344	Explorer.EXE	29
PID 1700 wrote to memory of 304	1700	svchost.exe	30
PID 1700 wrote to memory of 304	1700	svchost.exe	30
PID 1700 wrote to memory of 304	1700	svchost.exe	30
PID 1700 wrote to memory of 304	1700	svchost.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
  "C:\Users\Admin\AppData\Local\Temp\a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe
    "C:\Users\Admin\AppData\Local\Temp\a37f0bc7d668163e5040ecbda78ffb08f93137379ce456b54318b6533ca3b00a.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:460
- C:\Windows\syswow64\svchost.exe
  "C:\Windows\syswow64\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/460-69-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/460-68-0x00000000FFE00000-0x00000001000C0000-memory.dmp

Filesize
2.8MB

Download
memory/1344-66-0x0000000001C60000-0x0000000001C69000-memory.dmp

Filesize
36KB

Download
memory/1700-75-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1700-73-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1700-72-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1700-70-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1880-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1972-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-64-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download