96712c5ddeebb32965f1c3efcb693b1156db72b43653fa0720eafd9d089b5ec2

Analysis

max time kernel
119s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fee71db70a28d721e7639b6c689fb1f.exe
Size

42KB
MD5

0fee71db70a28d721e7639b6c689fb1f
SHA1

256a7ab3789b5797cee870cc349321d09a4c3011
SHA256

96712c5ddeebb32965f1c3efcb693b1156db72b43653fa0720eafd9d089b5ec2
SHA512

7384410f37d0a25bd66a789ae2129c13c22d819c3dd0beff3b5ce98357ca04b1dce6d6e255ecd263ff1dd8a15a43f0b88a0ec0807b1f9287b80573bc5179c139
SSDEEP

768:5cNn4NBbcmUgY6hKzWeyLNfVRxt97SVyKwZdaIlg2b+KJAWxhg:Q4NPja5yLNdDtusZdaIb7+W

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	0fee71db70a28d721e7639b6c689fb1f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntos.exe	0fee71db70a28d721e7639b6c689fb1f.exe
File opened for modification	C:\Windows\SysWOW64\ntos.exe	0fee71db70a28d721e7639b6c689fb1f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1124	0fee71db70a28d721e7639b6c689fb1f.exe
1124	0fee71db70a28d721e7639b6c689fb1f.exe
1124	0fee71db70a28d721e7639b6c689fb1f.exe
1124	0fee71db70a28d721e7639b6c689fb1f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	0fee71db70a28d721e7639b6c689fb1f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3
PID 1124 wrote to memory of 608	1124	0fee71db70a28d721e7639b6c689fb1f.exe	3

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\0fee71db70a28d721e7639b6c689fb1f.exe
"C:\Users\Admin\AppData\Local\Temp\0fee71db70a28d721e7639b6c689fb1f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/608-15-0x00000000199E0000-0x0000000019A02000-memory.dmp

Filesize
136KB

Download
memory/608-20-0x0000000019A10000-0x0000000019A32000-memory.dmp

Filesize
136KB

Download
memory/608-25-0x0000000019A40000-0x0000000019A62000-memory.dmp

Filesize
136KB

Download
memory/608-30-0x0000000019A70000-0x0000000019A92000-memory.dmp

Filesize
136KB

Download
memory/608-35-0x0000000019AA0000-0x0000000019AC2000-memory.dmp

Filesize
136KB

Download
memory/608-40-0x0000000019AD0000-0x0000000019AF2000-memory.dmp

Filesize
136KB

Download
memory/608-45-0x0000000019B00000-0x0000000019B22000-memory.dmp

Filesize
136KB

Download
memory/608-50-0x0000000019B30000-0x0000000019B52000-memory.dmp

Filesize
136KB

Download
memory/608-55-0x0000000019B60000-0x0000000019B82000-memory.dmp

Filesize
136KB

Download
memory/608-65-0x0000000019BC0000-0x0000000019BE2000-memory.dmp

Filesize
136KB

Download
memory/608-60-0x0000000019B90000-0x0000000019BB2000-memory.dmp

Filesize
136KB

Download
memory/608-70-0x0000000019BF0000-0x0000000019C12000-memory.dmp

Filesize
136KB

Download
memory/608-75-0x0000000019C20000-0x0000000019C42000-memory.dmp

Filesize
136KB

Download
memory/608-80-0x0000000019C50000-0x0000000019C72000-memory.dmp

Filesize
136KB

Download
memory/608-85-0x0000000019C80000-0x0000000019CA2000-memory.dmp

Filesize
136KB

Download
memory/608-95-0x0000000019CE0000-0x0000000019D02000-memory.dmp

Filesize
136KB

Download
memory/608-90-0x0000000019CB0000-0x0000000019CD2000-memory.dmp

Filesize
136KB

Download
memory/608-100-0x0000000019D10000-0x0000000019D32000-memory.dmp

Filesize
136KB

Download
memory/608-105-0x0000000019D40000-0x0000000019D62000-memory.dmp

Filesize
136KB

Download
memory/608-110-0x0000000019D70000-0x0000000019D92000-memory.dmp

Filesize
136KB

Download
memory/608-115-0x0000000019DA0000-0x0000000019DC2000-memory.dmp

Filesize
136KB

Download
memory/608-125-0x0000000019E00000-0x0000000019E22000-memory.dmp

Filesize
136KB

Download
memory/608-120-0x0000000019DD0000-0x0000000019DF2000-memory.dmp

Filesize
136KB

Download
memory/608-135-0x0000000019E60000-0x0000000019E82000-memory.dmp

Filesize
136KB

Download
memory/608-140-0x0000000019E90000-0x0000000019EB2000-memory.dmp

Filesize
136KB

Download
memory/608-145-0x0000000019EC0000-0x0000000019EE2000-memory.dmp

Filesize
136KB

Download
memory/608-130-0x0000000019E30000-0x0000000019E52000-memory.dmp

Filesize
136KB

Download
memory/608-150-0x0000000019EF0000-0x0000000019F12000-memory.dmp

Filesize
136KB

Download
memory/608-155-0x0000000019F20000-0x0000000019F42000-memory.dmp

Filesize
136KB

Download
memory/608-165-0x0000000019F80000-0x0000000019FA2000-memory.dmp

Filesize
136KB

Download
memory/608-170-0x0000000019FB0000-0x0000000019FD2000-memory.dmp

Filesize
136KB

Download
memory/608-160-0x0000000019F50000-0x0000000019F72000-memory.dmp

Filesize
136KB

Download
memory/608-175-0x0000000019FE0000-0x000000001A002000-memory.dmp

Filesize
136KB

Download
memory/608-180-0x000000001A010000-0x000000001A032000-memory.dmp

Filesize
136KB

Download
memory/608-185-0x000000001A040000-0x000000001A062000-memory.dmp

Filesize
136KB

Download
memory/608-195-0x000000001A0A0000-0x000000001A0C2000-memory.dmp

Filesize
136KB

Download
memory/608-200-0x000000001A0D0000-0x000000001A0F2000-memory.dmp

Filesize
136KB

Download
memory/608-210-0x000000001A130000-0x000000001A152000-memory.dmp

Filesize
136KB

Download
memory/608-215-0x000000001A160000-0x000000001A182000-memory.dmp

Filesize
136KB

Download
memory/608-225-0x000000001A1C0000-0x000000001A1E2000-memory.dmp

Filesize
136KB

Download
memory/608-230-0x000000001A1F0000-0x000000001A212000-memory.dmp

Filesize
136KB

Download
memory/608-235-0x000000001A220000-0x000000001A242000-memory.dmp

Filesize
136KB

Download
memory/608-240-0x000000001A250000-0x000000001A272000-memory.dmp

Filesize
136KB

Download
memory/608-250-0x000000001A2B0000-0x000000001A2D2000-memory.dmp

Filesize
136KB

Download
memory/608-255-0x000000001A2E0000-0x000000001A302000-memory.dmp

Filesize
136KB

Download
memory/608-260-0x000000001A310000-0x000000001A332000-memory.dmp

Filesize
136KB

Download
memory/608-270-0x000000001A370000-0x000000001A392000-memory.dmp

Filesize
136KB

Download
memory/608-275-0x000000001A3A0000-0x000000001A3C2000-memory.dmp

Filesize
136KB

Download
memory/608-285-0x000000001A400000-0x000000001A422000-memory.dmp

Filesize
136KB

Download
memory/608-290-0x000000001A430000-0x000000001A452000-memory.dmp

Filesize
136KB

Download
memory/608-300-0x000000001A490000-0x000000001A4B2000-memory.dmp

Filesize
136KB

Download
memory/608-305-0x000000001A4C0000-0x000000001A4E2000-memory.dmp

Filesize
136KB

Download
memory/608-310-0x000000001A4F0000-0x000000001A512000-memory.dmp

Filesize
136KB

Download
memory/608-320-0x000000001A550000-0x000000001A572000-memory.dmp

Filesize
136KB

Download
memory/608-325-0x000000001A580000-0x000000001A5A2000-memory.dmp

Filesize
136KB

Download
memory/608-315-0x000000001A520000-0x000000001A542000-memory.dmp

Filesize
136KB

Download
memory/608-295-0x000000001A460000-0x000000001A482000-memory.dmp

Filesize
136KB

Download
memory/608-280-0x000000001A3D0000-0x000000001A3F2000-memory.dmp

Filesize
136KB

Download
memory/608-265-0x000000001A340000-0x000000001A362000-memory.dmp

Filesize
136KB

Download
memory/608-245-0x000000001A280000-0x000000001A2A2000-memory.dmp

Filesize
136KB

Download
memory/608-220-0x000000001A190000-0x000000001A1B2000-memory.dmp

Filesize
136KB

Download
memory/608-205-0x000000001A100000-0x000000001A122000-memory.dmp

Filesize
136KB

Download
memory/608-190-0x000000001A070000-0x000000001A092000-memory.dmp

Filesize
136KB

Download
memory/1124-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1124-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download