c2558ec4c4caef28d6f6d2441ee9ee99aa1acbfd8d8699db40df3cd647fbb434

General

Target

20571ee9c9d1300f6716bdb39ca79505.exe
Size

95KB
MD5

20571ee9c9d1300f6716bdb39ca79505
SHA1

8258d260809ca4ac7d06f70f5b603088afcc82d5
SHA256

c2558ec4c4caef28d6f6d2441ee9ee99aa1acbfd8d8699db40df3cd647fbb434
SHA512

4af614ee56c5b2b8de6bf9e31e4a7feadce30b414a1e5e76aceaf55bd89ff920d53d2b411e44655157c23faee0af7a452e848806c0bcfac9c0c098b630d7f37a
SSDEEP

1536:h0q5sUQpTQJP6FBe/R6Gq86jRlMCLMA04UQDLqqvh/GrxlX7+Kkr9cVz9NlTQyEq:rsUETQHRPq8aR6CLn0hQfqQ9GrxlX7kQ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:/windows/services.exe"	regedit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\xxxx.bat	20571ee9c9d1300f6716bdb39ca79505.exe
File created	C:\windows\services.exe	20571ee9c9d1300f6716bdb39ca79505.exe
File created	C:\windows\update.exe	20571ee9c9d1300f6716bdb39ca79505.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2708	regedit.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2760	1048	20571ee9c9d1300f6716bdb39ca79505.exe	29
PID 1048 wrote to memory of 2760	1048	20571ee9c9d1300f6716bdb39ca79505.exe	29
PID 1048 wrote to memory of 2760	1048	20571ee9c9d1300f6716bdb39ca79505.exe	29
PID 1048 wrote to memory of 2760	1048	20571ee9c9d1300f6716bdb39ca79505.exe	29
PID 2760 wrote to memory of 2708	2760	cmd.exe	32
PID 2760 wrote to memory of 2708	2760	cmd.exe	32
PID 2760 wrote to memory of 2708	2760	cmd.exe	32
PID 2760 wrote to memory of 2708	2760	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\20571ee9c9d1300f6716bdb39ca79505.exe
"C:\Users\Admin\AppData\Local\Temp\20571ee9c9d1300f6716bdb39ca79505.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\xxxx.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S temp.reg
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF05A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF0AB.tmp

Filesize
22KB

MD5
f8f474e11c507c7ad2f23b0fd0772a09

SHA1
edd4a165e6b1caf9c92139a333446758b8598dae

SHA256
ef29742385cf7bcbac185e99127e20080681ce105cdb91554712ffe1e83e14df

SHA512
f04d0e1f25602e6927f8514203d80cb5e92a8b4c090dc99cdb74072e8f6748ed3c6bdcfb3bff301096725e1e75a5ff39832daf652014e9e9636750c7591f452d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.reg

Filesize
138B

MD5
13a0a82b2985f477c8857184e7ba7407

SHA1
dfd8ef76f62a22d665ce0f0b5ebc34a0cacf96fb

SHA256
255cf0cc80522477f8d3d2df3c106780e4a20f236bd159f2edfc3fb3d45f8320

SHA512
5a904d9e57f54cd3517476c73a000109f99d3549aae73c516a8565ed27942d29fd5d7a4bd8c83c86358bb414d0e90e4e847459c3dafbd51ab2982c7898c07b71

Download Submit
C:\Windows\update.exe

Filesize
483B

MD5
60ff372e394f7e60959f05f811c853c5

SHA1
ce697c552c71316e436b1cd592775ef894b9bf96

SHA256
46138a9f4b119b1074542cbc6fbd349c959b161474eb67dddf98fec8473c84a1

SHA512
69fc2b809e26e3da17f7256b5848fb1b21bfcdde002236964a3a7c5b9c2a1df1509a26f24042d2ed076f1e6e33060ff751fa45d04f9efd907e7e7f389e06cfa1

Download Submit
C:\Windows\xxxx.bat

Filesize
280B

MD5
ad0e5d3841e7186a0a8824a56efb5fca

SHA1
b726c2b6c9d9af86b7e46fae07e1c65871dac30b

SHA256
273787f6ff89e76a22d825048458c5aac17d9fa1871b8ad43cbb1e28f0a1c5db

SHA512
b0989b1fecf37bdd3b6b0e4ea6d7bf8bd0edbb225ec8e7a68c1e81277becbf00368a99a3f37ebcfb105c4e428d195a18348fe7f46bb7faf360fe79fcdb05c331

Download Submit
memory/1048-189-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-193-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-188-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-179-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-190-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-191-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-192-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-187-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-194-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-195-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-196-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-197-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-198-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1048-199-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads