e47f2ef05bb54c3846381a68b649e4fbfddc88f28e5234561dd6db300ebc3cd9

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

411c9be1fd7c502768eaffed6df2a415.exe
Size

156KB
MD5

411c9be1fd7c502768eaffed6df2a415
SHA1

9f9f76dd49bc79b357280744b57f17a95d210a57
SHA256

e47f2ef05bb54c3846381a68b649e4fbfddc88f28e5234561dd6db300ebc3cd9
SHA512

fa6628cd39d0de58f0b1f370705a34e72ef252f46c471e601e8bf3b7c95aeda79b72e5551f370c31d3e9d9ff64070ecd7e1d63ca2140269289619236434502e1
SSDEEP

192:ENrN1miRx8TeAOU190BBkxCQOXW8Vn3NLg5qPCVu1miRx:8UTRyBbQiVnShVW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,New Folder.exe"	411c9be1fd7c502768eaffed6df2a415.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\New Folder = "New Folder.exe"	411c9be1fd7c502768eaffed6df2a415.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\New Folder.exe	411c9be1fd7c502768eaffed6df2a415.exe
File opened for modification	C:\Windows\SysWOW64\New Folder.exe	411c9be1fd7c502768eaffed6df2a415.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	411c9be1fd7c502768eaffed6df2a415.exe

C:\Users\Admin\AppData\Local\Temp\411c9be1fd7c502768eaffed6df2a415.exe
"C:\Users\Admin\AppData\Local\Temp\411c9be1fd7c502768eaffed6df2a415.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\New Folder.exe

Filesize
156KB

MD5
411c9be1fd7c502768eaffed6df2a415

SHA1
9f9f76dd49bc79b357280744b57f17a95d210a57

SHA256
e47f2ef05bb54c3846381a68b649e4fbfddc88f28e5234561dd6db300ebc3cd9

SHA512
fa6628cd39d0de58f0b1f370705a34e72ef252f46c471e601e8bf3b7c95aeda79b72e5551f370c31d3e9d9ff64070ecd7e1d63ca2140269289619236434502e1

Download Submit
C:\yahoopath.txt

Filesize
29B

MD5
fd0352154f1cc869b288f52f796fe995

SHA1
6404f8722ae07f0a0094ebc8853e5dc23bd6cc58

SHA256
0ed08c7293823e434fadf2dc3ec9ebf99fc2f469bdf0dd5b0f8231fa8bc794fa

SHA512
07b9cfe0cde1f9ec33a72f0c5eaa8da3a6a8ea73f0a0ccac39ff647eec66bf05d0596f28065abfa3dc625d1798d244496258f6c840522d4277e5e07e42bf4eb3

Download Submit
memory/4348-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads