28cfbb2fdb195bb371d07ec62ee7c037f5144cb3cf37c000d457309eec2e0fb2

Analysis

max time kernel
209s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150d98154489ecdbcb60056eb3630b5b.exe
Size

2.8MB
MD5

150d98154489ecdbcb60056eb3630b5b
SHA1

e0e6b0455e326eaacc260cc745505355671386a1
SHA256

28cfbb2fdb195bb371d07ec62ee7c037f5144cb3cf37c000d457309eec2e0fb2
SHA512

f15f7aa760bda2d9fb09b8a15a69472498eb03c5db2f79faff1db555eefb5ad3699f472e6aaae55cc10304ca08d95e6b86d3472668ecccbb39aec143e4e20e14
SSDEEP

1536:Mvzk+n/yZgaeEalqyVLo9dYJ+0ECg6aRhdsRJ+F:Mbk+6ZganMqykPE+0Ej6aji+F

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 19 IoCs

pid	Process
3968	userinit.exe
4428	system.exe
2408	system.exe
4840	system.exe
3244	system.exe
2656	system.exe
212	system.exe
3204	system.exe
3332	system.exe
2984	system.exe
4192	system.exe
1348	system.exe
1092	system.exe
2700	system.exe
5024	system.exe
4556	system.exe
1800	system.exe
3004	system.exe
3476	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	150d98154489ecdbcb60056eb3630b5b.exe
File opened for modification	C:\Windows\userinit.exe	150d98154489ecdbcb60056eb3630b5b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
656	150d98154489ecdbcb60056eb3630b5b.exe
656	150d98154489ecdbcb60056eb3630b5b.exe
3968	userinit.exe
3968	userinit.exe
3968	userinit.exe
3968	userinit.exe
4428	system.exe
4428	system.exe
3968	userinit.exe
3968	userinit.exe
2408	system.exe
2408	system.exe
3968	userinit.exe
3968	userinit.exe
4840	system.exe
4840	system.exe
3968	userinit.exe
3968	userinit.exe
3244	system.exe
3244	system.exe
3968	userinit.exe
3968	userinit.exe
3968	userinit.exe
3968	userinit.exe
2656	system.exe
212	system.exe
2656	system.exe
212	system.exe
3968	userinit.exe
3968	userinit.exe
3204	system.exe
3204	system.exe
3968	userinit.exe
3968	userinit.exe
3332	system.exe
3332	system.exe
3968	userinit.exe
3968	userinit.exe
2984	system.exe
2984	system.exe
3968	userinit.exe
3968	userinit.exe
4192	system.exe
4192	system.exe
3968	userinit.exe
3968	userinit.exe
1348	system.exe
1348	system.exe
3968	userinit.exe
3968	userinit.exe
1092	system.exe
1092	system.exe
3968	userinit.exe
3968	userinit.exe
2700	system.exe
2700	system.exe
3968	userinit.exe
3968	userinit.exe
5024	system.exe
5024	system.exe
3968	userinit.exe
3968	userinit.exe
4556	system.exe
4556	system.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
656	150d98154489ecdbcb60056eb3630b5b.exe
656	150d98154489ecdbcb60056eb3630b5b.exe
3968	userinit.exe
3968	userinit.exe
4428	system.exe
4428	system.exe
2408	system.exe
2408	system.exe
4840	system.exe
4840	system.exe
3244	system.exe
3244	system.exe
2656	system.exe
212	system.exe
2656	system.exe
212	system.exe
3204	system.exe
3204	system.exe
3332	system.exe
3332	system.exe
2984	system.exe
2984	system.exe
4192	system.exe
4192	system.exe
1348	system.exe
1348	system.exe
1092	system.exe
1092	system.exe
2700	system.exe
2700	system.exe
5024	system.exe
5024	system.exe
4556	system.exe
4556	system.exe
1800	system.exe
1800	system.exe
3004	system.exe
3004	system.exe
3476	system.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3968	656	150d98154489ecdbcb60056eb3630b5b.exe	92
PID 656 wrote to memory of 3968	656	150d98154489ecdbcb60056eb3630b5b.exe	92
PID 656 wrote to memory of 3968	656	150d98154489ecdbcb60056eb3630b5b.exe	92
PID 3968 wrote to memory of 4428	3968	userinit.exe	94
PID 3968 wrote to memory of 4428	3968	userinit.exe	94
PID 3968 wrote to memory of 4428	3968	userinit.exe	94
PID 3968 wrote to memory of 2408	3968	userinit.exe	95
PID 3968 wrote to memory of 2408	3968	userinit.exe	95
PID 3968 wrote to memory of 2408	3968	userinit.exe	95
PID 3968 wrote to memory of 4840	3968	userinit.exe	97
PID 3968 wrote to memory of 4840	3968	userinit.exe	97
PID 3968 wrote to memory of 4840	3968	userinit.exe	97
PID 3968 wrote to memory of 3244	3968	userinit.exe	101
PID 3968 wrote to memory of 3244	3968	userinit.exe	101
PID 3968 wrote to memory of 3244	3968	userinit.exe	101
PID 3968 wrote to memory of 2656	3968	userinit.exe	102
PID 3968 wrote to memory of 2656	3968	userinit.exe	102
PID 3968 wrote to memory of 2656	3968	userinit.exe	102
PID 3968 wrote to memory of 212	3968	userinit.exe	103
PID 3968 wrote to memory of 212	3968	userinit.exe	103
PID 3968 wrote to memory of 212	3968	userinit.exe	103
PID 3968 wrote to memory of 3204	3968	userinit.exe	104
PID 3968 wrote to memory of 3204	3968	userinit.exe	104
PID 3968 wrote to memory of 3204	3968	userinit.exe	104
PID 3968 wrote to memory of 3332	3968	userinit.exe	106
PID 3968 wrote to memory of 3332	3968	userinit.exe	106
PID 3968 wrote to memory of 3332	3968	userinit.exe	106
PID 3968 wrote to memory of 2984	3968	userinit.exe	109
PID 3968 wrote to memory of 2984	3968	userinit.exe	109
PID 3968 wrote to memory of 2984	3968	userinit.exe	109
PID 3968 wrote to memory of 4192	3968	userinit.exe	110
PID 3968 wrote to memory of 4192	3968	userinit.exe	110
PID 3968 wrote to memory of 4192	3968	userinit.exe	110
PID 3968 wrote to memory of 1348	3968	userinit.exe	111
PID 3968 wrote to memory of 1348	3968	userinit.exe	111
PID 3968 wrote to memory of 1348	3968	userinit.exe	111
PID 3968 wrote to memory of 1092	3968	userinit.exe	115
PID 3968 wrote to memory of 1092	3968	userinit.exe	115
PID 3968 wrote to memory of 1092	3968	userinit.exe	115
PID 3968 wrote to memory of 2700	3968	userinit.exe	117
PID 3968 wrote to memory of 2700	3968	userinit.exe	117
PID 3968 wrote to memory of 2700	3968	userinit.exe	117
PID 3968 wrote to memory of 5024	3968	userinit.exe	118
PID 3968 wrote to memory of 5024	3968	userinit.exe	118
PID 3968 wrote to memory of 5024	3968	userinit.exe	118
PID 3968 wrote to memory of 4556	3968	userinit.exe	120
PID 3968 wrote to memory of 4556	3968	userinit.exe	120
PID 3968 wrote to memory of 4556	3968	userinit.exe	120
PID 3968 wrote to memory of 1800	3968	userinit.exe	121
PID 3968 wrote to memory of 1800	3968	userinit.exe	121
PID 3968 wrote to memory of 1800	3968	userinit.exe	121
PID 3968 wrote to memory of 3004	3968	userinit.exe	122
PID 3968 wrote to memory of 3004	3968	userinit.exe	122
PID 3968 wrote to memory of 3004	3968	userinit.exe	122
PID 3968 wrote to memory of 3476	3968	userinit.exe	126
PID 3968 wrote to memory of 3476	3968	userinit.exe	126
PID 3968 wrote to memory of 3476	3968	userinit.exe	126

C:\Users\Admin\AppData\Local\Temp\150d98154489ecdbcb60056eb3630b5b.exe
"C:\Users\Admin\AppData\Local\Temp\150d98154489ecdbcb60056eb3630b5b.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
1.0MB

MD5
f2a0d69416042bc86739002b214f44b5

SHA1
0ef5cf2598113b67832587896522dae352870553

SHA256
d57a22c276b4266aafa50965f6a0e0cee2b7c1ce401368a65ede862e2741facc

SHA512
b199288289d488f0e6832dbcbda359e82ae2f7928f01e4b48ba457b118d3eca02ea9b07848ec5fc727e5c4b51d31dbac11739403eb0af7090553c1c190c11d7e

Download Submit
C:\Windows\userinit.exe

Filesize
2.8MB

MD5
150d98154489ecdbcb60056eb3630b5b

SHA1
e0e6b0455e326eaacc260cc745505355671386a1

SHA256
28cfbb2fdb195bb371d07ec62ee7c037f5144cb3cf37c000d457309eec2e0fb2

SHA512
f15f7aa760bda2d9fb09b8a15a69472498eb03c5db2f79faff1db555eefb5ad3699f472e6aaae55cc10304ca08d95e6b86d3472668ecccbb39aec143e4e20e14

Download Submit
memory/212-59-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/656-18-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/656-8-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/656-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/656-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1092-95-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1092-94-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1092-99-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1348-91-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1800-122-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2408-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2408-35-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2656-49-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2656-60-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2656-52-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2700-104-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2984-75-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2984-79-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3004-128-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3204-66-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3244-46-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3332-73-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3332-68-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3968-33-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3968-13-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3968-12-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4192-85-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4192-81-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4428-28-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4556-117-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4840-41-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5024-111-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download