71fa7d93cfb8dc84d792906e9b547dff02b8dccaf8a90f3f63f56f3fe058f809

General

Target

13e794bd094779cebd455a03ca744ed6.exe
Size

1.9MB
MD5

13e794bd094779cebd455a03ca744ed6
SHA1

84cbee14c5e4f7a9a5cde993c737d7dcb294be27
SHA256

71fa7d93cfb8dc84d792906e9b547dff02b8dccaf8a90f3f63f56f3fe058f809
SHA512

ebef1f18d0e9a4d2c3717b96facd5f787621afc2895bc425ece55a2defe34af1e100328b31b094a566faf9987f32fbbf28332f7e8a76688d4cefbe9b2417afba
SSDEEP

24576:NZAjphUYz2zEi5ZoFRw9hQtrda7mg3ksJ4vAzs58pxAW0BMfQ+3arWuvzzIny:XkjpFvwgwo+3arWNny

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2920	~DP5754.exe
2724	~DP5957.exe
2872	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
1228	13e794bd094779cebd455a03ca744ed6.exe
1228	13e794bd094779cebd455a03ca744ed6.exe
1228	13e794bd094779cebd455a03ca744ed6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nvchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DP5754.exe"	~DP5754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nvchost = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	~DP5754.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2872	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2920	1228	13e794bd094779cebd455a03ca744ed6.exe	28
PID 1228 wrote to memory of 2920	1228	13e794bd094779cebd455a03ca744ed6.exe	28
PID 1228 wrote to memory of 2920	1228	13e794bd094779cebd455a03ca744ed6.exe	28
PID 1228 wrote to memory of 2920	1228	13e794bd094779cebd455a03ca744ed6.exe	28
PID 1228 wrote to memory of 2724	1228	13e794bd094779cebd455a03ca744ed6.exe	29
PID 1228 wrote to memory of 2724	1228	13e794bd094779cebd455a03ca744ed6.exe	29
PID 1228 wrote to memory of 2724	1228	13e794bd094779cebd455a03ca744ed6.exe	29
PID 1228 wrote to memory of 2724	1228	13e794bd094779cebd455a03ca744ed6.exe	29
PID 2920 wrote to memory of 2872	2920	~DP5754.exe	30
PID 2920 wrote to memory of 2872	2920	~DP5754.exe	30
PID 2920 wrote to memory of 2872	2920	~DP5754.exe	30
PID 2920 wrote to memory of 2872	2920	~DP5754.exe	30

C:\Users\Admin\AppData\Local\Temp\13e794bd094779cebd455a03ca744ed6.exe
"C:\Users\Admin\AppData\Local\Temp\13e794bd094779cebd455a03ca744ed6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\~DP5754.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP5754.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\~DP5957.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP5957.exe"
  2⤵
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DP5957.exe

Filesize
991KB

MD5
dc2f6260d48dc80b6a25760002f1c764

SHA1
70be399f2c766b7758d0955885abe1b815b2a955

SHA256
554475a8b9e5029e22c742fff9e9563c1ccbc6824172cb6228504816c86f4269

SHA512
fd063891b31c9da840eef1501fe58829df2becd60c7c93dd887f09df0474d7cbc60da780a8ea10fffe2bd316ebad2aefcad18fb50532b8889291d45d8752dccc

Download Submit
C:\Windows\winlogon.exe

Filesize
74KB

MD5
cc4a7dda31a3a9f85b764066ccb1e6a2

SHA1
63fda7c4758dd3f730dc2c75f58daf0442b6f0ed

SHA256
73d3e6200b7eb6466d103413ec30078680f8105d1768e1be6c38dc9e250fdac4

SHA512
c3dac7cbaed7e19e92b9924e5379a61c563fd333a413dd64668bb44207481a3f8f20c3a4911560c6747443f7c2d8943a0578b100415f943f82c1cf8db29f654c

Download Submit
\Users\Admin\AppData\Local\Temp\~DP5754.exe

Filesize
156KB

MD5
b6d86545f6d07c059edfcfbf6e7e2bb1

SHA1
7783341895cc24d1e29a9a0f12bf0c8551a4d790

SHA256
85fa635c3b491e8fdd69eec199dd99cfe1f0a8309b21d0ff528b8ab172062cf1

SHA512
0406daf1f7f1e0bd74b27aae5a13095af43da91c7c827b367059c456dd8d6c30f27604abd4c8dcbc1164706ecbef47b73eb9f2bd0708ad4035957535636cf9ce

Download Submit
\Users\Admin\AppData\Local\Temp\~DP5957.exe

Filesize
798KB

MD5
b7743df73b93bd3661e1172d7a14e5db

SHA1
39512fa600d9e7ce964e8d6caaea0886f219721a

SHA256
8cf9e3fabc49a5156e1bb35f7cea8b6c62ddbacafb0f3510aa509e41b1119e30

SHA512
b05dc923e94ae78ece410154aba5fc50808a84801c3ce004ccb6769b3cae36df777049ea180ab8267a69e8de6dc2f8b14b98ab0562831da540a677ab4750d64d

Download Submit
memory/1228-4-0x0000000002820000-0x0000000002883000-memory.dmp

Filesize
396KB

Download
memory/1228-10-0x0000000002820000-0x0000000002883000-memory.dmp

Filesize
396KB

Download
memory/1228-18-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2724-28-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/2872-27-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-12-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-25-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads