deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4

Analysis

max time kernel
65s
max time network
102s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 14:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4.exe
Size

88KB
MD5

a9b06405ade1fb352a066ce169ee24a4
SHA1

6ef3ad7b20388f931c09313595628ad00cf1ab55
SHA256

deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4
SHA512

1761ced06ba90942eb6670e71b7b7042243fcf7dfb7e4f6e33dd073201847237e37fa3ebf65acfe813f2cb36ba2eeaf2ee671f26460ee2ac7c58ced3eeb62831
SSDEEP

1536:IsCAFP8C3n/V3yUnyhROtB+PgGXgFkjXK5AKn9eNet9KLAStM/jwByVuTnT9KowX:IsCAp8C3n/VCUnsRfgQgajX/G9hKLASe

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ceylfka.dll	deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2044	deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4.exe

C:\Users\Admin\AppData\Local\Temp\deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4.exe
"C:\Users\Admin\AppData\Local\Temp\deecbcb422ae8dc390fddd604bcaf7c4791a385ab5f9312ba742410c34addeb4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-56-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/2044-54-0x0000000001000000-0x0000000001017000-memory.dmp

Filesize
92KB

Download
memory/2044-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/2044-57-0x0000000001000000-0x0000000001017000-memory.dmp

Filesize
92KB

Download