b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883

General

Target

b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe
Size

23KB
MD5

7193b531605532242806a6a37fdc4b58
SHA1

fa64fbf72c4a9c5190edcdefc346dbc829fee7ef
SHA256

b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883
SHA512

4a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad
SSDEEP

384:CLJ0kGOFOGFtfFVk/wQPpwsjvt1RP+/R8HWhsRf3oyMsB5g:CNbfUYQPzjvt1ZWhsRASg

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1080	cmd.exe
1080	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1364	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	28
PID 1356 wrote to memory of 1364	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	28
PID 1356 wrote to memory of 1364	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	28
PID 1356 wrote to memory of 1364	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	28
PID 1356 wrote to memory of 1080	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	30
PID 1356 wrote to memory of 1080	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	30
PID 1356 wrote to memory of 1080	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	30
PID 1356 wrote to memory of 1080	1356	b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe	30
PID 1080 wrote to memory of 1600	1080	cmd.exe	32
PID 1080 wrote to memory of 1600	1080	cmd.exe	32
PID 1080 wrote to memory of 1600	1080	cmd.exe	32
PID 1080 wrote to memory of 1600	1080	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe
"C:\Users\Admin\AppData\Local\Temp\b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies firewall policy service
    - Executes dropped EXE
    PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
23KB

MD5
7193b531605532242806a6a37fdc4b58

SHA1
fa64fbf72c4a9c5190edcdefc346dbc829fee7ef

SHA256
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883

SHA512
4a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
23KB

MD5
7193b531605532242806a6a37fdc4b58

SHA1
fa64fbf72c4a9c5190edcdefc346dbc829fee7ef

SHA256
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883

SHA512
4a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
23KB

MD5
7193b531605532242806a6a37fdc4b58

SHA1
fa64fbf72c4a9c5190edcdefc346dbc829fee7ef

SHA256
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883

SHA512
4a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
23KB

MD5
7193b531605532242806a6a37fdc4b58

SHA1
fa64fbf72c4a9c5190edcdefc346dbc829fee7ef

SHA256
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883

SHA512
4a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad

Download Submit
memory/1080-63-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1080-64-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1080-67-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads