Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 21:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12c55895f54ce6a9840c3be8837f9dac.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
12c55895f54ce6a9840c3be8837f9dac.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
12c55895f54ce6a9840c3be8837f9dac.exe
-
Size
2.7MB
-
MD5
12c55895f54ce6a9840c3be8837f9dac
-
SHA1
dcfff0d05b8893c083a25dc0ae7be76075071398
-
SHA256
3b24e3d7238406c007bad4039d77f3eed128366c37d94c2986fdb118e9d5a57e
-
SHA512
1347c2045d0ef513eb242de0b6663d14d225840b1f11d61a137860359cc9ffbf6b1481c9e1607005cd2d3fe1620a40fbb76bebdb33303a8b03ef4ad61afdb48b
-
SSDEEP
3072:UUXJ1OXAgGTRuu2qqXGUtAmHVhAiMiB0TTN/7hQl:UUCXcTY5NAmTkTJ7hM
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe wignifgp.exe" 12c55895f54ce6a9840c3be8837f9dac.exe -
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{tt9381D8F2-0288-11D0-9501-00AA00B911A5} 12c55895f54ce6a9840c3be8837f9dac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{tt9381D8F2-0288-11D0-9501-00AA00B911A5}\StubPath = "C:\\Windows\\system32\\midiplgayer.exe" 12c55895f54ce6a9840c3be8837f9dac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{tt9381D8F2-0288-11D0-9501-00AA00B911A5}\un = "1,aaaaaaaaaa" 12c55895f54ce6a9840c3be8837f9dac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Windows = "C:\\Windows\\ccgcap.exe" 12c55895f54ce6a9840c3be8837f9dac.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Windows\\system32\\nortonantviru.exe" 12c55895f54ce6a9840c3be8837f9dac.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\nortonantviru.exe 12c55895f54ce6a9840c3be8837f9dac.exe File created C:\Windows\SysWOW64\midiplgayer.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\SysWOW64\nortonantviru.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\SysWOW64\midiplgayer.exe 12c55895f54ce6a9840c3be8837f9dac.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\wignifgp.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\wignifgp.exe 12c55895f54ce6a9840c3be8837f9dac.exe File created C:\Windows\ccgcap.exe 12c55895f54ce6a9840c3be8837f9dac.exe File opened for modification C:\Windows\ccgcap.exe 12c55895f54ce6a9840c3be8837f9dac.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 12c55895f54ce6a9840c3be8837f9dac.exe 5016 12c55895f54ce6a9840c3be8837f9dac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5016 12c55895f54ce6a9840c3be8837f9dac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84 PID 5016 wrote to memory of 616 5016 12c55895f54ce6a9840c3be8837f9dac.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c55895f54ce6a9840c3be8837f9dac.exe"C:\Users\Admin\AppData\Local\Temp\12c55895f54ce6a9840c3be8837f9dac.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\$$$$$$.bat2⤵PID:2360
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD5b70ef5a7ac7c85755793892312e33724
SHA10cb945d27efead72b6a5ac0f249d3df37feb5ef3
SHA256e1539e1a8e4a8484e0ffd63b1967dcd91b2a950437c2357d585a3319fedbf30b
SHA5122cc112678a776794e0b6acddea5871874aea4cf11078793cb6dbda51b11e67b6767f2ff79b05fe565ef07ac35cd1886862a9ef7e27af6d76b9c7e0fbc3b8fbac
-
Filesize
201B
MD50609e4324721474e0a03ffbd1cfc41a1
SHA1a60f0daaae4e5f7a06b0e3fe409ce3dfd7d85796
SHA256b4a1b9dd0a476e9c6865b0ce4a2423e47351334d4165eb12bf7b511e866f29ec
SHA512e1d0e61f30611553a8726d5bb60ad59ef7e34306357be5d5aa58cb73657b17e39a63b112fef7c59958cd3e55ce50a3f4bd690ae8ecc3a61cb1abe68bb224eaf4