ad3bcb65313043b1a43b8fb210f3a20a87df8a8145ed9a18b086d0859616caa2

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
Size

58KB
MD5

b364e74e14f8a51d8198ddf8716dea25
SHA1

a3477e425332dfec0c622f1a50cf80f1f6891110
SHA256

f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df
SHA512

cbc1a5f451d1fe8242466c357dcb6f6b7376ffb47f797930d88a282889711d6bcfad500243ce1b41bbc92ea4bab9094b8ea8f1415326ae2fceffae71a4f5f329
SSDEEP

1536:wskqTQNhMxETZWr6PEwnAdlN3MBDCAZp4Y4/e66:5QYiupWDLce

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe"	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe

Disables Task Manager via registry modification
evasion

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe

pid	process
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
5032	f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe

C:\Users\Admin\AppData\Local\Temp\f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
"C:\Users\Admin\AppData\Local\Temp\f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xFoLOOOSErs.txt
Filesize
56B

MD5
af20189f6a3880ae6bb3d5f0d6ebe2ba

SHA1
1dbebff7cd1113ee2fab253cf8eb5a29f2bf6714

SHA256
9918fa7c2740853531a41e7675f4e09bc1c987afb556c5d2fcdd3f80f16056d0

SHA512
a6bb1ebee91339d6446a4bd4e706973f125347bc84b882c616e8abecf71a8c13d2f74ddb8de814a83e7584d90699898186bf1f4f235312e5871e7f84fdedfa0f

Download Submit
memory/5032-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-89-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-100-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-111-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-122-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-156-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download