Analysis
-
max time kernel
312s -
max time network
316s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 18:37
Static task
static1
Behavioral task
behavioral1
Sample
ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe
-
Size
345KB
-
MD5
6f403a69d4af7163d86761e4a167b712
-
SHA1
3550bd0a2494386b0899c8ef3c6a40ebceae5b1b
-
SHA256
ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa
-
SHA512
dc557de56b27f6aa5afb4227d76120eee62024d0392fd87365c5d565a6e060499b8217e3e00c87a2d0a6b84084a294ae2fccaa8cb7ef278a14439dfc9c3e0e23
-
SSDEEP
6144:84SSBD8a4i6HooXX7Kt4mrhnK+vhGxKAcqKQHHj0YEL9msxpxY:84SSByHVXnYK+vCcOgYDWXY
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe," ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ntos.exe ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe File created C:\Windows\SysWOW64\ntos.exe ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3 PID 3384 wrote to memory of 592 3384 ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe 3
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:592
-
C:\Users\Admin\AppData\Local\Temp\ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe"C:\Users\Admin\AppData\Local\Temp\ee0e0807d5a84f43fcdcb7776f9b681e0fcde338b23dd793b8ce76c95ee32ffa.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384