197a7f02aa8aba10b99db2b899bd6db518ebc3be1538e60ee7942fc790468df1

Analysis

max time kernel
61s
max time network
60s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaner.exe
Size

4KB
MD5

e9ded10dff258f6522fe9079ed3319ca
SHA1

b0127ea7675f6359bfa80a7bf6282bd1c989b405
SHA256

ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780
SHA512

d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cleaner.exe\""	cleaner.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cleaner.exe\""	cleaner.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\cleaner.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1112

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads