97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

306KB
MD5

f9f7e4b734d555814439256a4550a9dd
SHA1

110f36964c9ad34d35e7afeb48215764500d37cd
SHA256

97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42
SHA512

5d80924fe621eeb456e213812efabd545b156adcd13d83068ce76572bb199d9f10f606efd8d9c2fb0fff4b3318cde384b390b8e94cd8dc82955718cf62ea691e
SSDEEP

6144:ZaA+l9nqPU0wLpfAWGWrF4pXkgJFF1kCsOPF/TbL8LahOlosA:ZJ+l9sUxpUiF4lksFmCr/TbLAaAlo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\ViperFolder\\FiperA.exe\","	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2992	2796	tmp.exe	32

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2992	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe
2796	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	tmp.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 2820	2796	tmp.exe	29
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 3012	2796	tmp.exe	30
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2988	2796	tmp.exe	31
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32
PID 2796 wrote to memory of 2992	2796	tmp.exe	32

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-76-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-55-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-56-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2796-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2796-58-0x0000000000650000-0x0000000000686000-memory.dmp

Filesize
216KB

Download
memory/2796-59-0x0000000000700000-0x000000000074C000-memory.dmp

Filesize
304KB

Download
memory/2796-54-0x00000000001A0000-0x00000000001F2000-memory.dmp

Filesize
328KB

Download
memory/2992-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download