9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b

General

Target

9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
Size

259KB
MD5

b2b218083c76956a3dd40de510b65c27
SHA1

4822b6d15e0c464c0d18790698c7c6234cb474df
SHA256

9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b
SHA512

70a057d0747629c4f186693a85005a20d7a4c8078272dac629e2de5fb36c1f7ab72bc79d8f3f77f757436b83fd012869b769b99e537229182931d48cb5068cdb
SSDEEP

6144:vx9PP90i6dC9i2e3ijBHJ6/gkToLcXKAJEBdW7YXxglx3Jysk+:p9n90i6YivuB8tgeLQaljJk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\9816CD~1.EXE,"	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9816CD~1.EXE"	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9816CD~1.EXE"	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dd5e8ae2 = "N„cðíª\x0enÚ-C\t}\x138\u009d\x17¶qe¨<XèØ%u\")ø\tûTÃF$=¡V\bFÚ:8!¹F÷\x04·\x16ÕÇ:d–»ÀÔêÁ-ŸT5ÃÔ}í“oâ4$x+/Ó/Œ\x16ÍÂ=dó7Ô‰\x14§„à/¤+ggÈNýù\x1f¤l-·ç…ìí]l¼}õÅ\x1ed{=ü¬\x1eÿ\r&{\u00ad\u008f%\f\u008dD\x14/§#Ôg§Ï\u009dw•ûÇ„Ï”,Ü´Gô'¼Cå\u008d\u009dÄï\rÜ\x1cÜ”\fü5ŸosDŽU4Ä¦smä7–DÜ\x05\u009dûÌd\x1c\\T}í^g½ä\x17”\x04\f–‡ö\u009d\u008dmÏï\fm¼Ü¿óû\x1eþ\u009d¥\x14\x04W%\u009då\|Üdd¼•k\f´\f\x05Vô¿eËË\x14M\x05ôeóµ†Ì-ô_î"	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
Token: SeSecurityPrivilege	1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
Token: SeSecurityPrivilege	1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
Token: SeSecurityPrivilege	1972	9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe

C:\Users\Admin\AppData\Local\Temp\9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe
"C:\Users\Admin\AppData\Local\Temp\9816cd09e45d23bcb83e0367bf4abac7ca9fad0bd7cfa8ace827b3f18bd2a70b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-54-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1972-55-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/1972-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1972-57-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1972-59-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/1972-58-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/1972-60-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/1972-62-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/1972-63-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/1972-65-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/1972-66-0x0000000002550000-0x0000000002608000-memory.dmp

Filesize
736KB

Download
memory/1972-67-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/1972-68-0x0000000002550000-0x0000000002608000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads