917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62

Reason

Machine shutdown

General

Target

917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Size

81KB
MD5

30cf084eeeb56ee7c01a2e214f348d76
SHA1

2b43dfd8c398a4925ea66653d351f84af669d3e3
SHA256

917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62
SHA512

f94dc5a93122999ad35dd3c07bc0db08cfd88ad0e4dc55c7768b3d75e441f290d5a259237cf5401cbc407d50223eb513b03eb3d45f891872b0ff49be2f423f16
SSDEEP

384:PJG14lR/NpKAN+UJfo8vJh/7neuwyv3ZUKcreuDreuwyv3ZUKcreuDz:RFtFe8vJtDeunUreufeunUreuf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winsock.exe	attrib.exe
File created	C:\Windows\SysWOW64\winkernel32.exe	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
File opened for modification	C:\Windows\SysWOW64\winkernel32.exe	attrib.exe
File created	C:\Windows\SysWOW64\winsock.exe	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	576	shutdown.exe
Token: SeRemoteShutdownPrivilege	576	shutdown.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1700	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	27
PID 1368 wrote to memory of 1700	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	27
PID 1368 wrote to memory of 1700	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	27
PID 1368 wrote to memory of 1700	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	27
PID 1700 wrote to memory of 976	1700	cmd.exe	29
PID 1700 wrote to memory of 976	1700	cmd.exe	29
PID 1700 wrote to memory of 976	1700	cmd.exe	29
PID 1700 wrote to memory of 976	1700	cmd.exe	29
PID 1368 wrote to memory of 892	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	30
PID 1368 wrote to memory of 892	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	30
PID 1368 wrote to memory of 892	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	30
PID 1368 wrote to memory of 892	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	30
PID 892 wrote to memory of 1504	892	cmd.exe	32
PID 892 wrote to memory of 1504	892	cmd.exe	32
PID 892 wrote to memory of 1504	892	cmd.exe	32
PID 892 wrote to memory of 1504	892	cmd.exe	32
PID 1368 wrote to memory of 664	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	33
PID 1368 wrote to memory of 664	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	33
PID 1368 wrote to memory of 664	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	33
PID 1368 wrote to memory of 664	1368	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe	33
PID 664 wrote to memory of 576	664	cmd.exe	35
PID 664 wrote to memory of 576	664	cmd.exe	35
PID 664 wrote to memory of 576	664	cmd.exe	35
PID 664 wrote to memory of 576	664	cmd.exe	35

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1"	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
976	attrib.exe
1504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe
"C:\Users\Admin\AppData\Local\Temp\917fa5baf49e22e84efaded9489bae51466b4be3823118dadd5f3d6835b6ac62.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Windows\system32\winsock.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Windows\system32\winkernel32.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

3

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winkernel32.exe

Filesize
84KB

MD5
38d23b46f6efcba0291d0fcd8749b9c4

SHA1
22c78b4a3ca543dddb7fad0df9bc8e35a1a13052

SHA256
15345a6500084d3f25591384991a183f7757563eee03b337ccafa84bd3249392

SHA512
b2251e39da2e6a0932509d1129ef4d5a3494b758550e85dc0e6fdce584f60f638a52dc9744dc0833e34b7961a15c7fda4c66ca5ceca4e10ff04982238be62a53

Download Submit
C:\Windows\SysWOW64\winsock.exe

Filesize
83KB

MD5
1ebbff278064ece069d0d2024c802401

SHA1
559aaef53f89b25a4cb15f54fea4ce57d2305dea

SHA256
a9f5debfffb59f5ca5c478cdc252683623ce4d7de7603b0219f51e7edfb351d9

SHA512
281564e3ba114a6d5fb64f47ef1b882e85c099e031bff906839f6e28075431eee56eeb40d7b1e25786ce4d8df40bf1de6b8451f67393eed64f0327b4eeb9bd85

Download Submit
memory/1744-62-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads