97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42

Analysis

max time kernel
76s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

306KB
MD5

f9f7e4b734d555814439256a4550a9dd
SHA1

110f36964c9ad34d35e7afeb48215764500d37cd
SHA256

97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42
SHA512

5d80924fe621eeb456e213812efabd545b156adcd13d83068ce76572bb199d9f10f606efd8d9c2fb0fff4b3318cde384b390b8e94cd8dc82955718cf62ea691e
SSDEEP

6144:ZaA+l9nqPU0wLpfAWGWrF4pXkgJFF1kCsOPF/TbL8LahOlosA:ZJ+l9sUxpUiF4lksFmCr/TbLAaAlo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\ViperFolder\\FiperA.exe\","	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 2200	1452	tmp.exe	87

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2200	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1452	tmp.exe
1452	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87
PID 1452 wrote to memory of 2200	1452	tmp.exe	87

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-142-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1452-134-0x00000000001B0000-0x0000000000202000-memory.dmp

Filesize
328KB

Download
memory/1452-135-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/1452-136-0x0000000036110000-0x0000000036176000-memory.dmp

Filesize
408KB

Download
memory/1452-137-0x0000000036820000-0x00000000368B2000-memory.dmp

Filesize
584KB

Download
memory/1452-138-0x0000000036E70000-0x0000000037414000-memory.dmp

Filesize
5.6MB

Download
memory/1452-133-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/2200-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2200-143-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/2200-144-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/2200-145-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/2200-146-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/2200-147-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download