d00b8527779d3014b49708450eaed5cff5804f68944fad8c501f81c7ef83713e

General

Target

121f406624b9995f3f19c5dcfeab6a66.exe
Size

215KB
MD5

121f406624b9995f3f19c5dcfeab6a66
SHA1

1327fa593578ed4b90743427aa839293e25166f7
SHA256

d00b8527779d3014b49708450eaed5cff5804f68944fad8c501f81c7ef83713e
SHA512

5d3686b098838b50e5d01d80b7594f54a82bf9f9f716d7a2e9cba9049adb39899e48d29592a73146248728e603aefd72acda70c4ad1985266f1008660cbbb9a4
SSDEEP

6144:LS/ECKgcKNc+fwb1/d8eLCWLz8/Gs+nFeHT:hvgIdKeOWXyGs+nOT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2312	~DP8DCE.exe
2832	~DP8E3C.exe
2716	winlogon.exe

Loads dropped DLL 4 IoCs

pid	Process
2268	121f406624b9995f3f19c5dcfeab6a66.exe
2268	121f406624b9995f3f19c5dcfeab6a66.exe
2268	121f406624b9995f3f19c5dcfeab6a66.exe
2268	121f406624b9995f3f19c5dcfeab6a66.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DP8DCE.exe"	~DP8DCE.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	~DP8DCE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2312	2268	121f406624b9995f3f19c5dcfeab6a66.exe	28
PID 2268 wrote to memory of 2312	2268	121f406624b9995f3f19c5dcfeab6a66.exe	28
PID 2268 wrote to memory of 2312	2268	121f406624b9995f3f19c5dcfeab6a66.exe	28
PID 2268 wrote to memory of 2312	2268	121f406624b9995f3f19c5dcfeab6a66.exe	28
PID 2268 wrote to memory of 2832	2268	121f406624b9995f3f19c5dcfeab6a66.exe	29
PID 2268 wrote to memory of 2832	2268	121f406624b9995f3f19c5dcfeab6a66.exe	29
PID 2268 wrote to memory of 2832	2268	121f406624b9995f3f19c5dcfeab6a66.exe	29
PID 2268 wrote to memory of 2832	2268	121f406624b9995f3f19c5dcfeab6a66.exe	29
PID 2312 wrote to memory of 2716	2312	~DP8DCE.exe	30
PID 2312 wrote to memory of 2716	2312	~DP8DCE.exe	30
PID 2312 wrote to memory of 2716	2312	~DP8DCE.exe	30
PID 2312 wrote to memory of 2716	2312	~DP8DCE.exe	30

C:\Users\Admin\AppData\Local\Temp\121f406624b9995f3f19c5dcfeab6a66.exe
"C:\Users\Admin\AppData\Local\Temp\121f406624b9995f3f19c5dcfeab6a66.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\~DP8DCE.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP8DCE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\~DP8E3C.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP8E3C.exe"
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DP8DCE.exe

Filesize
156KB

MD5
b524995de3a3a7fc987ce779cef59ff2

SHA1
6e6a0e733dd1fa27e98e0c077a8a0042e9bdf522

SHA256
92d895fa1e0eac56231f89fabf80db4d666afbf2369ea42f5fba5d2dabd0b2c0

SHA512
377dd960650514159f6e7f38007b5ed9da36e5f4bb970da64fed5bb82787877e094deeadb0fcfbbbf81be775f4a28b2078bab1e4efa35f5213598c11d32bb15e

Download Submit
\Users\Admin\AppData\Local\Temp\~DP8E3C.exe

Filesize
41KB

MD5
e9bcc69aefb08897ee5cb81546253705

SHA1
8435b204b98fbe563654e65ab58a1e0447c87f1c

SHA256
f1850e5c8eef81bd5080e303754f833b4a27498f6f0a9cdea730e16ed1ffcfa8

SHA512
0e99c859b84ed100de4df3b0890e00cf8cd33a7b7624278faccf7c903c049b513b3495518c1ad6ec54e83be2dc6077cdf3c41637a0ceecf84762dd59d9b6cb4d

Download Submit
memory/2268-18-0x0000000002760000-0x00000000027C3000-memory.dmp

Filesize
396KB

Download
memory/2268-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2268-21-0x0000000002760000-0x00000000027C3000-memory.dmp

Filesize
396KB

Download
memory/2268-44-0x0000000002760000-0x00000000027C3000-memory.dmp

Filesize
396KB

Download
memory/2312-22-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2312-26-0x0000000000600000-0x0000000000663000-memory.dmp

Filesize
396KB

Download
memory/2312-31-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2716-32-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2716-46-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2832-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2832-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads