bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26

Analysis

max time kernel
111s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe
Size

108KB
MD5

e96b41ce209c0f7b2fa1063aa87e2dc2
SHA1

f5e54c9b95c0f70745fb24c4185e58de3433d9a9
SHA256

bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26
SHA512

c4e9fab847f63a9ce2ab7255fc2c8627a5f7924ee291fe39d1176075d3c7836fdc870d863036cdcce62930a872750c989c1cbbe75c165af657a11dc35f1a125d
SSDEEP

1536:8Ily2lGtgJmKIY1F4b13WP/4oxllB00p:8Oy2ldQbZWPAoLM0p

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,"	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protect_autorun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe /start"	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3828	taskkill.exe
624	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe
4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe
4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 3828	4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe	80
PID 4040 wrote to memory of 3828	4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe	80
PID 4040 wrote to memory of 3828	4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe	80
PID 4040 wrote to memory of 624	4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe	81
PID 4040 wrote to memory of 624	4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe	81
PID 4040 wrote to memory of 624	4040	bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe	81

C:\Users\Admin\AppData\Local\Temp\bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe
"C:\Users\Admin\AppData\Local\Temp\bacd85ea2cce657df3685901094d93639ee2efe7284d484f0612ac92cf856f26.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /T /IM toy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /T /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4040-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4040-135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads