9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a

General

Target

9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
Size

359KB
MD5

b0bdf44f778fc298ad3ebf755e94d2f0
SHA1

1e028ebbaa609457f1f2dbe5c2f6535af60f3951
SHA256

9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a
SHA512

ee1fdcf7320da47167a34510ebc0686253bed0f28215cc6a3c270a5b134dffa76e70c88f5b705d718cdaca47394622bda07280dd0ac979b9fec70ea26884defe
SSDEEP

6144:vLLPlr5IoEutpsGY+d7IafH+bZbdQ1ihIGsYR8Ima9gE4B5r7L0/c:jLtft6V+hVfelhtnsYR8Ima9gE4BGc

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\41c40e2a\\X"	Explorer.EXE

Executes dropped EXE 2 IoCs

pid	Process
332	csrss.exe
912	X

Deletes itself 1 IoCs

pid	Process
1532	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1532	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{a8b10a90-7cc9-cb3a-842b-f0e02d692f2a}	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a8b10a90-7cc9-cb3a-842b-f0e02d692f2a}\u = "137"	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a8b10a90-7cc9-cb3a-842b-f0e02d692f2a}\cid = "3577536560491518170"	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
912	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
Token: SeDebugPrivilege	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1220	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	14
PID 1644 wrote to memory of 332	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	25
PID 1644 wrote to memory of 912	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	28
PID 1644 wrote to memory of 912	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	28
PID 1644 wrote to memory of 912	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	28
PID 1644 wrote to memory of 912	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	28
PID 912 wrote to memory of 1220	912	X	14
PID 1644 wrote to memory of 1532	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	29
PID 1644 wrote to memory of 1532	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	29
PID 1644 wrote to memory of 1532	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	29
PID 1644 wrote to memory of 1532	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	29
PID 1644 wrote to memory of 1532	1644	9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220
- C:\Users\Admin\AppData\Local\Temp\9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe
  "C:\Users\Admin\AppData\Local\Temp\9fd93a468e120bd26b4412d47452bc797864d0a0f74a450a0f93205067e2634a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\41c40e2a\X
    176.53.17.24:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1532

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\41c40e2a\@

Filesize
2KB

MD5
45da9504309d0e74f04544bdb93d2489

SHA1
9144864570104a28a336f614d0d6eefbd330c284

SHA256
d49d89c47ab3cef07202e675fc4f4734393f471d0676ca4826118604a57c02d2

SHA512
cead56d078c3498f228f3d7bb3598b481edb0957d1e1dbc9483e7126f2ec21398f3a9c23a0d38649eeaf06a7bcfa4c9842c4ab7d91475cd20a145e93e3be590f

Download Submit
C:\Users\Admin\AppData\Local\41c40e2a\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
C:\Windows\system32\consrv.dll

Filesize
31KB

MD5
2718f2d89cab642e96ebad313b64f478

SHA1
94b8e9d95786d2e03bfe61df5705f0bfb8b77f19

SHA256
765090821b30dbca4bdf96de0ffeeeb8821013a643f9405285ef7acdb44fab58

SHA512
e25172284c1e5206568310b7a4bb0c62445a56bc5bcaae65dd39ed86456df03faa20e1a883d0df60c9253b250ff7e8d11e7bb05f89dca69ba7c5b261f35a70f6

Download Submit
\Users\Admin\AppData\Local\41c40e2a\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
\Users\Admin\AppData\Local\41c40e2a\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
2718f2d89cab642e96ebad313b64f478

SHA1
94b8e9d95786d2e03bfe61df5705f0bfb8b77f19

SHA256
765090821b30dbca4bdf96de0ffeeeb8821013a643f9405285ef7acdb44fab58

SHA512
e25172284c1e5206568310b7a4bb0c62445a56bc5bcaae65dd39ed86456df03faa20e1a883d0df60c9253b250ff7e8d11e7bb05f89dca69ba7c5b261f35a70f6

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
27e9b92954daf55fd20400893cd1d838

SHA1
2ddb6dd4004e26dd1486c6e310c7abef75aeeb4c

SHA256
ff3b3559f75eeec9978b710888786f6249ffcb21293f63989798eef2f113fa80

SHA512
096e2b0ea46b8407f3e9ee0e416d9089b0b56198d4a7fd2834cfe91865b9ff3739434a59e820d75daba0d0cbe1b3cde27d33571909025a45221d45590f47a978

Download Submit
memory/332-79-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/1220-74-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/1220-97-0x00000000029F0000-0x00000000029FB000-memory.dmp

Filesize
44KB

Download
memory/1220-99-0x00000000029F0000-0x00000000029FB000-memory.dmp

Filesize
44KB

Download
memory/1220-98-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1220-70-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/1220-96-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1220-94-0x0000000002980000-0x000000000298B000-memory.dmp

Filesize
44KB

Download
memory/1220-66-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/1220-90-0x0000000002980000-0x000000000298B000-memory.dmp

Filesize
44KB

Download
memory/1220-86-0x0000000002980000-0x000000000298B000-memory.dmp

Filesize
44KB

Download
memory/1644-81-0x0000000001F70000-0x0000000002070000-memory.dmp

Filesize
1024KB

Download
memory/1644-63-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1644-57-0x0000000000771000-0x00000000007B9000-memory.dmp

Filesize
288KB

Download
memory/1644-55-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1644-80-0x0000000000400000-0x0000000000464FD8-memory.dmp

Filesize
403KB

Download
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-78-0x0000000001F70000-0x0000000002070000-memory.dmp

Filesize
1024KB

Download
memory/1644-77-0x00000000003A1000-0x00000000003BD000-memory.dmp

Filesize
112KB

Download
memory/1644-60-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1644-101-0x0000000000400000-0x0000000000464FD8-memory.dmp

Filesize
403KB

Download
memory/1644-102-0x0000000000771000-0x00000000007B9000-memory.dmp

Filesize
288KB

Download
memory/1644-56-0x0000000000400000-0x0000000000464FD8-memory.dmp

Filesize
403KB

Download

Analysis

Sharing