8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964

Analysis

max time kernel
152s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964.exe
Size

260KB
MD5

b8307333e82caa858e63d79354ee7fa3
SHA1

be851c158eb016d0055355eba179ca19aadf9fbd
SHA256

8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964
SHA512

9f3748915ad66ea6dd52a60fd59c7672a60b305a7e31d179bb0993fc7b4a6d0da06ea7b37e71d1e3b8a657355ae1fa72990d70fd22393564686a79d480d80b3e
SSDEEP

6144:tiuqIVxZG1xrJC5LeTMEDEHOGpZw9GasNg1ToSOy8Rzc51uil:tiuqIVsNC5LpRnaTTROjZ3

Score

6^/10

persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\eb2a0ba7 = "D*Ç\x1d\x1fuW"	8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1264	8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964.exe

C:\Users\Admin\AppData\Local\Temp\8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964.exe
"C:\Users\Admin\AppData\Local\Temp\8ee5c877ba55880abfd78984b30020a996f96282de111586c9d1cc3eefa3d964.exe"
1⤵
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1264-55-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1264-56-0x00000000027E0000-0x000000000288A000-memory.dmp

Filesize
680KB

Download
memory/1264-57-0x00000000027E0000-0x000000000288A000-memory.dmp

Filesize
680KB

Download
memory/1264-58-0x00000000027E0000-0x000000000288A000-memory.dmp

Filesize
680KB

Download
memory/1264-61-0x00000000027E0000-0x000000000288A000-memory.dmp

Filesize
680KB

Download
memory/1264-60-0x00000000027E0000-0x000000000288A000-memory.dmp

Filesize
680KB

Download
memory/1264-63-0x00000000027E0000-0x000000000288A000-memory.dmp

Filesize
680KB

Download
memory/1264-64-0x0000000002990000-0x0000000002A49000-memory.dmp

Filesize
740KB

Download