f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3

Analysis

max time kernel
70s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe
Size

36KB
MD5

a300dc8d756dd0cb863ae0c486f424e9
SHA1

d30b2ce11016659344a74955d933d405d7a7ad66
SHA256

f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3
SHA512

f49679820355d89946f6a63193281a127dccb2f1a4eab7fda0168dea2f9fefdce7a7acd189ce053c7fa7305e8ce0849cbc53dcc72596ae913c385f87a52d397b
SSDEEP

768:sUXfmTR6v/x9VINA9gEQPAhZTIDQ5sHS34:sUvmTgv/SNAEFS34

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\Amoumain.exe"	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe

Executes dropped EXE 1 IoCs

pid	Process
1356	Amoumain.exe

Loads dropped DLL 2 IoCs

pid	Process
844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe
844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Amoumain.exe	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe
1356	Amoumain.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1524	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	28
PID 844 wrote to memory of 1524	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	28
PID 844 wrote to memory of 1524	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	28
PID 844 wrote to memory of 1524	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	28
PID 844 wrote to memory of 1356	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	30
PID 844 wrote to memory of 1356	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	30
PID 844 wrote to memory of 1356	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	30
PID 844 wrote to memory of 1356	844	f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe	30

C:\Users\Admin\AppData\Local\Temp\f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe
"C:\Users\Admin\AppData\Local\Temp\f850d632c87e450df35e768522697bf8da37e3a2674acdd5810452c884dc87b3.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- C:\Windows\SysWOW64\Amoumain.exe
  C:\Windows\system32\Amoumain.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
8dfc31b4c3313e8d0b8a97f19a0d5353

SHA1
04f71371662e43ad6aa6bf5674afdcbd438f7168

SHA256
bfabe1379da502c3fd963786881efc746e12019f3b8243bb10d584c3545055ee

SHA512
e7c4a29cbe7861a318935209f055958dae64b7f7b5805a6ece4a8eda18ed4b5530b2d4a39efcb532f6db3976d7a779f9a81f73894d95fc2f9a2db1a5845a5321

Download Submit
C:\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
8dfc31b4c3313e8d0b8a97f19a0d5353

SHA1
04f71371662e43ad6aa6bf5674afdcbd438f7168

SHA256
bfabe1379da502c3fd963786881efc746e12019f3b8243bb10d584c3545055ee

SHA512
e7c4a29cbe7861a318935209f055958dae64b7f7b5805a6ece4a8eda18ed4b5530b2d4a39efcb532f6db3976d7a779f9a81f73894d95fc2f9a2db1a5845a5321

Download Submit
\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
8dfc31b4c3313e8d0b8a97f19a0d5353

SHA1
04f71371662e43ad6aa6bf5674afdcbd438f7168

SHA256
bfabe1379da502c3fd963786881efc746e12019f3b8243bb10d584c3545055ee

SHA512
e7c4a29cbe7861a318935209f055958dae64b7f7b5805a6ece4a8eda18ed4b5530b2d4a39efcb532f6db3976d7a779f9a81f73894d95fc2f9a2db1a5845a5321

Download Submit
\Windows\SysWOW64\Amoumain.exe

Filesize
36KB

MD5
8dfc31b4c3313e8d0b8a97f19a0d5353

SHA1
04f71371662e43ad6aa6bf5674afdcbd438f7168

SHA256
bfabe1379da502c3fd963786881efc746e12019f3b8243bb10d584c3545055ee

SHA512
e7c4a29cbe7861a318935209f055958dae64b7f7b5805a6ece4a8eda18ed4b5530b2d4a39efcb532f6db3976d7a779f9a81f73894d95fc2f9a2db1a5845a5321

Download Submit