954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4

General

Target

954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe
Size

81KB
MD5

41fc66d0c54325a6ec0d302ed3de3eb6
SHA1

82ba4587f013c06733a388fddc27a97c5c733ab8
SHA256

954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4
SHA512

b496084754227af352483416ea47c28e2003238d6cd3947c55060fa6a4446de89f4d72f5fcc28decf1c4865ea1976f7051a517d9aa9a2a6c03eea0d40e795daa
SSDEEP

768:2rFPx8ceViHNaZyiJHFlnjSSO3c1boD9d9rA49U6n1hPLJ890GMkJ5z9o6je4K6h:2ByKNaZXWYEi4K6nPMbLRoMe4K2f1

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\DownloadSave\\mhfmaby.exe"	mhfmaby.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	mhfmaby.exe
1644	mhfmaby.exe

Deletes itself 1 IoCs

pid	Process
1956	mhfmaby.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe
2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe
1956	mhfmaby.exe
1956	mhfmaby.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	mhfmaby.exe
File opened (read-only)	\??\P:	mhfmaby.exe
File opened (read-only)	\??\L:	mhfmaby.exe
File opened (read-only)	\??\I:	mhfmaby.exe
File opened (read-only)	\??\G:	mhfmaby.exe
File opened (read-only)	\??\E:	mhfmaby.exe
File opened (read-only)	\??\Z:	mhfmaby.exe
File opened (read-only)	\??\U:	mhfmaby.exe
File opened (read-only)	\??\Q:	mhfmaby.exe
File opened (read-only)	\??\K:	mhfmaby.exe
File opened (read-only)	\??\J:	mhfmaby.exe
File opened (read-only)	\??\B:	mhfmaby.exe
File opened (read-only)	\??\X:	mhfmaby.exe
File opened (read-only)	\??\S:	mhfmaby.exe
File opened (read-only)	\??\O:	mhfmaby.exe
File opened (read-only)	\??\N:	mhfmaby.exe
File opened (read-only)	\??\F:	mhfmaby.exe
File opened (read-only)	\??\Y:	mhfmaby.exe
File opened (read-only)	\??\W:	mhfmaby.exe
File opened (read-only)	\??\V:	mhfmaby.exe
File opened (read-only)	\??\R:	mhfmaby.exe
File opened (read-only)	\??\M:	mhfmaby.exe
File opened (read-only)	\??\H:	mhfmaby.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1956	mhfmaby.exe
Token: SeIncBasePriorityPrivilege	1644	mhfmaby.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1956	mhfmaby.exe
1644	mhfmaby.exe
1644	mhfmaby.exe
1956	mhfmaby.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1956	2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe	26
PID 2044 wrote to memory of 1956	2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe	26
PID 2044 wrote to memory of 1956	2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe	26
PID 2044 wrote to memory of 1956	2044	954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe	26
PID 1956 wrote to memory of 1644	1956	mhfmaby.exe	27
PID 1956 wrote to memory of 1644	1956	mhfmaby.exe	27
PID 1956 wrote to memory of 1644	1956	mhfmaby.exe	27
PID 1956 wrote to memory of 1644	1956	mhfmaby.exe	27

C:\Users\Admin\AppData\Local\Temp\954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe
"C:\Users\Admin\AppData\Local\Temp\954077d922fd090ed9d6ceb1c62bf84a99a1f8a233967075584ec3f628204be4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\ProgramData\DownloadSave\mhfmaby.exe
  "C:\ProgramData\DownloadSave\mhfmaby.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\ProgramData\DownloadSave\ mhfmaby.exe
    "C:\ProgramData\DownloadSave\ mhfmaby.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadSave\ mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
C:\ProgramData\DownloadSave\RecordPath

Filesize
260B

MD5
f4173d6266645371f20f1950317e44db

SHA1
9f92bc6f97c083cd8661c340da63414346d3fc5e

SHA256
9cd80b5fb7b48b4c94b09837923a2ae0f29c00cab3d2036d0e48de9f2b324ccb

SHA512
56f285d81f155259960f96ce9694d28a539279281ae1030e5f195a1b3a48d5945a7946395edf7b2d0333e08efce4b1479581a9fd910af90b0a9add1bcb940214

Download Submit
C:\ProgramData\DownloadSave\mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
C:\ProgramData\DownloadSave\mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
\ProgramData\DownloadSave\ mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
\ProgramData\DownloadSave\ mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
\ProgramData\DownloadSave\mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
\ProgramData\DownloadSave\mhfmaby.exe

Filesize
6.1MB

MD5
ac7a5892f9775d7f9465a80777d53709

SHA1
7e95a54defff27b3cc363d53276c723ecee25833

SHA256
e43379f38431c5b678a2834ff2d520a30f88e03b7c2d44c6bf185fd6f702adf7

SHA512
a09eeb1751e288dc1d4d221e9c24e04301d0d85fe0cc462044487fd78ddfd53af224104137d3f369a1c4e5fed714ffec930e81966c6ced78814922e4305964cb

Download Submit
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing