Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 14:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb7c7e52e5f88b1272b83b61ae6d458d.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
bb7c7e52e5f88b1272b83b61ae6d458d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
bb7c7e52e5f88b1272b83b61ae6d458d.exe
-
Size
97KB
-
MD5
bb7c7e52e5f88b1272b83b61ae6d458d
-
SHA1
32690a1fcda4cd8a5dd26db421d5b6ecc5d35fa9
-
SHA256
7dd34a46b3d5f344930f7ed3b0a511918dc16a76a11c9bd567fd5657e409d5e0
-
SHA512
7c3117637cac9c7a8d2de597fac893d4270475ae9bda4a02204a14d465ab8c76675ccdc45ecc306ab52f26522dfd33f4f6c146dc8ac952a0c541b18185aaa3e2
-
SSDEEP
1536:5M9nw/hT31GCSI6WB3IMeCn7EI50ru9nw/hT31GSu9nw/hT31GCSI6WB3IMeCn7U:95T3BF6sYMF725T315T3BF6sYMF7U
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" services.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bb7c7e52e5f88b1272b83b61ae6d458d.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
Adds policy Run key to start application 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" qm4623.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" winlogon.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bb7c7e52e5f88b1272b83b61ae6d458d.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts csrss.exe -
Executes dropped EXE 7 IoCs
pid Process 2712 smss.exe 2636 winlogon.exe 2772 services.exe 656 csrss.exe 1412 lsass.exe 2808 qm4623.exe 1536 m4623.exe -
Loads dropped DLL 16 IoCs
pid Process 2164 bb7c7e52e5f88b1272b83b61ae6d458d.exe 2164 bb7c7e52e5f88b1272b83b61ae6d458d.exe 2712 smss.exe 2712 smss.exe 2712 smss.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" bb7c7e52e5f88b1272b83b61ae6d458d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" winlogon.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\P: lsass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\c_29982k.com m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\getdomlist.txt lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\s4827 bb7c7e52e5f88b1272b83b61ae6d458d.exe File created C:\Windows\SysWOW64\s4827\smss.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\SysWOW64\s4827 services.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll services.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll m4623.exe File created C:\Windows\SysWOW64\s4827\getdomlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com services.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe services.exe File created C:\Windows\SysWOW64\s4827\m4623.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File created C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827 m4623.exe File created C:\Windows\SysWOW64\s4827\c.bron.tok.txt lsass.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com bb7c7e52e5f88b1272b83b61ae6d458d.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\brdom.bat lsass.exe File created C:\Windows\SysWOW64\c_29982k.com qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827 winlogon.exe File created C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 csrss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe csrss.exe File created C:\Windows\SysWOW64\s4827\domlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com m4623.exe File created C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com lsass.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt lsass.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File created C:\Windows\SysWOW64\s4827\brdom.bat lsass.exe File created C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe -
Drops file in Windows directory 39 IoCs
description ioc Process File opened for modification C:\Windows\_default29982.pif services.exe File opened for modification C:\Windows\j6299822.exe csrss.exe File opened for modification C:\Windows\_default29982.pif csrss.exe File created C:\Windows\j6299822.exe qm4623.exe File created C:\Windows\o4299827.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\o4299827.exe smss.exe File opened for modification C:\Windows\_default29982.pif lsass.exe File opened for modification C:\Windows\_default29982.pif smss.exe File opened for modification C:\Windows\j6299822.exe services.exe File opened for modification C:\Windows\j6299822.exe winlogon.exe File opened for modification C:\Windows\j6299822.exe m4623.exe File opened for modification C:\Windows\o4299827.exe qm4623.exe File opened for modification C:\Windows\j6299822.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\j6299822.exe smss.exe File opened for modification C:\Windows\o4299827.exe winlogon.exe File opened for modification C:\Windows\Ad10218 winlogon.exe File created C:\Windows\j6299822.exe lsass.exe File opened for modification C:\Windows\j6299822.exe qm4623.exe File created C:\Windows\o4299827.exe lsass.exe File opened for modification C:\Windows\_default29982.pif qm4623.exe File created C:\Windows\j6299822.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File created C:\Windows\_default29982.pif bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\o4299827.exe m4623.exe File opened for modification C:\Windows\j6299822.exe lsass.exe File opened for modification C:\Windows\_default29982.pif m4623.exe File opened for modification C:\Windows\o4299827.exe bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\o4299827.exe services.exe File created C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\o4299827.exe csrss.exe File created C:\Windows\j6299822.exe m4623.exe File created C:\Windows\_default29982.pif m4623.exe File opened for modification C:\Windows\_default29982.pif bb7c7e52e5f88b1272b83b61ae6d458d.exe File opened for modification C:\Windows\Ad10218\qm4623.exe winlogon.exe File created C:\Windows\o4299827.exe m4623.exe File created C:\Windows\_default29982.pif qm4623.exe File opened for modification C:\Windows\_default29982.pif winlogon.exe File opened for modification C:\Windows\o4299827.exe lsass.exe File created C:\Windows\_default29982.pif lsass.exe File created C:\Windows\o4299827.exe qm4623.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 2176 net.exe 2384 net.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe 2636 winlogon.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2712 2164 bb7c7e52e5f88b1272b83b61ae6d458d.exe 30 PID 2164 wrote to memory of 2712 2164 bb7c7e52e5f88b1272b83b61ae6d458d.exe 30 PID 2164 wrote to memory of 2712 2164 bb7c7e52e5f88b1272b83b61ae6d458d.exe 30 PID 2164 wrote to memory of 2712 2164 bb7c7e52e5f88b1272b83b61ae6d458d.exe 30 PID 2712 wrote to memory of 2636 2712 smss.exe 31 PID 2712 wrote to memory of 2636 2712 smss.exe 31 PID 2712 wrote to memory of 2636 2712 smss.exe 31 PID 2712 wrote to memory of 2636 2712 smss.exe 31 PID 2636 wrote to memory of 2772 2636 winlogon.exe 33 PID 2636 wrote to memory of 2772 2636 winlogon.exe 33 PID 2636 wrote to memory of 2772 2636 winlogon.exe 33 PID 2636 wrote to memory of 2772 2636 winlogon.exe 33 PID 2636 wrote to memory of 656 2636 winlogon.exe 35 PID 2636 wrote to memory of 656 2636 winlogon.exe 35 PID 2636 wrote to memory of 656 2636 winlogon.exe 35 PID 2636 wrote to memory of 656 2636 winlogon.exe 35 PID 2636 wrote to memory of 1412 2636 winlogon.exe 37 PID 2636 wrote to memory of 1412 2636 winlogon.exe 37 PID 2636 wrote to memory of 1412 2636 winlogon.exe 37 PID 2636 wrote to memory of 1412 2636 winlogon.exe 37 PID 2636 wrote to memory of 2808 2636 winlogon.exe 39 PID 2636 wrote to memory of 2808 2636 winlogon.exe 39 PID 2636 wrote to memory of 2808 2636 winlogon.exe 39 PID 2636 wrote to memory of 2808 2636 winlogon.exe 39 PID 2636 wrote to memory of 1536 2636 winlogon.exe 42 PID 2636 wrote to memory of 1536 2636 winlogon.exe 42 PID 2636 wrote to memory of 1536 2636 winlogon.exe 42 PID 2636 wrote to memory of 1536 2636 winlogon.exe 42 PID 2636 wrote to memory of 1600 2636 winlogon.exe 43 PID 2636 wrote to memory of 1600 2636 winlogon.exe 43 PID 2636 wrote to memory of 1600 2636 winlogon.exe 43 PID 2636 wrote to memory of 1600 2636 winlogon.exe 43 PID 2636 wrote to memory of 1004 2636 winlogon.exe 45 PID 2636 wrote to memory of 1004 2636 winlogon.exe 45 PID 2636 wrote to memory of 1004 2636 winlogon.exe 45 PID 2636 wrote to memory of 1004 2636 winlogon.exe 45 PID 2636 wrote to memory of 2200 2636 winlogon.exe 47 PID 2636 wrote to memory of 2200 2636 winlogon.exe 47 PID 2636 wrote to memory of 2200 2636 winlogon.exe 47 PID 2636 wrote to memory of 2200 2636 winlogon.exe 47 PID 1412 wrote to memory of 1940 1412 lsass.exe 51 PID 1412 wrote to memory of 1940 1412 lsass.exe 51 PID 1412 wrote to memory of 1940 1412 lsass.exe 51 PID 1412 wrote to memory of 1940 1412 lsass.exe 51 PID 1940 wrote to memory of 2176 1940 cmd.exe 53 PID 1940 wrote to memory of 2176 1940 cmd.exe 53 PID 1940 wrote to memory of 2176 1940 cmd.exe 53 PID 1940 wrote to memory of 2176 1940 cmd.exe 53 PID 1412 wrote to memory of 1748 1412 lsass.exe 54 PID 1412 wrote to memory of 1748 1412 lsass.exe 54 PID 1412 wrote to memory of 1748 1412 lsass.exe 54 PID 1412 wrote to memory of 1748 1412 lsass.exe 54 PID 1748 wrote to memory of 2384 1748 cmd.exe 56 PID 1748 wrote to memory of 2384 1748 cmd.exe 56 PID 1748 wrote to memory of 2384 1748 cmd.exe 56 PID 1748 wrote to memory of 2384 1748 cmd.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb7c7e52e5f88b1272b83b61ae6d458d.exe"C:\Users\Admin\AppData\Local\Temp\bb7c7e52e5f88b1272b83b61ae6d458d.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2772
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:656
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- Discovers systems in the same network
PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\system32\s4827\brdom.bat" "5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\net.exenet view /domain:WORKGROUP6⤵
- Discovers systems in the same network
PID:2384
-
-
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2808
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1536
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y4⤵PID:1600
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:1004
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:2200
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5703a9537d9c7950646649afeffb17d84
SHA15b87ac4f75914d2210785d51243dc1a256836147
SHA25638c927b336512520a8d3e6bb343c96f41e249ef3ee6f01111520ab4ea69ec5d8
SHA512da045b52f2bc5dd153efd68b3c29c16c6d2c20fe83fefa8fd73400ce520da73c16b13a882d97a5754b23a98fba44376de40c26704cd6ee1f3b98b153aece9631
-
Filesize
97KB
MD5bb7c7e52e5f88b1272b83b61ae6d458d
SHA132690a1fcda4cd8a5dd26db421d5b6ecc5d35fa9
SHA2567dd34a46b3d5f344930f7ed3b0a511918dc16a76a11c9bd567fd5657e409d5e0
SHA5127c3117637cac9c7a8d2de597fac893d4270475ae9bda4a02204a14d465ab8c76675ccdc45ecc306ab52f26522dfd33f4f6c146dc8ac952a0c541b18185aaa3e2
-
Filesize
73B
MD56fc63a266767a5de3cc18f2b7ac5a703
SHA1d23d7f8b213e9a311e37d058499502bd207c448e
SHA2563d08ce4422af041981e6e9b0c55bceeaac098940c5e37f459fa22eb472390812
SHA512ee6b97e09d1a1de916771143235e545cccfab6d22d2355d5c7994a0c9aafcfd640bf78cbd19570dace378e4c1b8b784278c41c80d45a62ac60c75e944110976c
-
Filesize
97KB
MD590c71a68cefaa59293b14ece63732a16
SHA1e8e15d8eef1eaf2f1c06ee2ac9ed85c785128aee
SHA256cc32b7708736e0833229ec5b7dbf75eeb770070ce0b014c37fb34af92f0c169b
SHA5121dee3ef6e90280b89dc98c4461188189fbedae4e30740cd4cdf121b4410d301099728c620340af18b83e38e82bf35e66ff57b9b0f4c8fdbadebd233747aa967b
-
Filesize
97KB
MD50e0655c3063dec948c41ee7d0be45d56
SHA12a4818eb5ba76b8e1384859195a33d2a9fcd1396
SHA2563c32e81fb10a286555c6fc3dac157e189998cf99c93269a0a1530a28a4c65920
SHA512e215433fa9b65d70f4d69fa9317a32ee021300d82d1dd91a358b92b98e780b553c5cae55abb25df5fec084e8867b95db4ac4464b13bc65fcfa3f6a4a5b53e9ad
-
Filesize
97KB
MD54d951c36f7d2957c66f27db1b6fc015e
SHA1d7bae32f81afdb7a4fedbf807c981b105a139a41
SHA256a377d39c4d2387b4282d437ec8f21885574ddb9f2c9c49c7cf4e9710974e4850
SHA512ac931922fb26af772136add29641c03e9dc6ef0f0f14771e6b08f4c10530d0aae0d10be6b574f5cd30f4b90747a3d045f999b2fe0ab07d0fec7b191bf7e801ae
-
Filesize
97KB
MD556d2e756deaf00550798b70559aa7d10
SHA1ad5e044ebe20693fcdff0e58dd123004b880c24a
SHA2564e0964eb0def6ae0f3e8a576dbd8d5eabc9934588e530d33b7e1ce439964b068
SHA5127cd7c648a9fc94eb39e8c4cd463d3e1fab4f2b1cee3a186be222e524cc33e9fc4579385508fb92a8f7b6866854dafd63b94732ab64f32fce8f34e569a3518b5c