f01f5bffcce28483b4d59107a0bd727c4c00529a2de1d9f5076e55df447608b4

General

Target

1f0442ad3f186278669ebb85773aee8f.exe
Size

367KB
MD5

1f0442ad3f186278669ebb85773aee8f
SHA1

6522afadcafef3cad1b5275659a259807bfe3552
SHA256

f01f5bffcce28483b4d59107a0bd727c4c00529a2de1d9f5076e55df447608b4
SHA512

ee9c657b2f7e8b02f87ab5a41a8ac650aab463cd4f1c70e9d31641e04d7956763e3af53b36dd57d04c9d434ac618f4ee4f9fe01be658528ed375524f79c86161
SSDEEP

6144:ikPv3h1mvP4Fuf9ihQoxSwJKTP9X0nquz57GWy2o1UjSMUg2mpkvE8:ie5kv66ilJJlnqud7xyD1U2bg1A

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe"	svhost.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3404	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
4244	svhost.exe
3728	lsass.exe
3348	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	svhost.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1f0442ad3f186278669ebb85773aee8f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svhost.exe	lsass.exe
File created	C:\Windows\SysWOW64\svhost.exe	1f0442ad3f186278669ebb85773aee8f.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	1f0442ad3f186278669ebb85773aee8f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 3728 set thread context of 3348	3728	lsass.exe	91

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4244	svhost.exe
3348	svhost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 2708 wrote to memory of 4244	2708	1f0442ad3f186278669ebb85773aee8f.exe	58
PID 4244 wrote to memory of 3404	4244	svhost.exe	66
PID 4244 wrote to memory of 3404	4244	svhost.exe	66
PID 4244 wrote to memory of 3404	4244	svhost.exe	66
PID 4244 wrote to memory of 3728	4244	svhost.exe	65
PID 4244 wrote to memory of 3728	4244	svhost.exe	65
PID 4244 wrote to memory of 3728	4244	svhost.exe	65
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91
PID 3728 wrote to memory of 3348	3728	lsass.exe	91

C:\Users\Admin\AppData\Local\Temp\1f0442ad3f186278669ebb85773aee8f.exe
"C:\Users\Admin\AppData\Local\Temp\1f0442ad3f186278669ebb85773aee8f.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\1f0442ad3f186278669ebb85773aee8f.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    "C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\1f0442ad3f186278669ebb85773aee8f.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\svhost.exe
      "C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\1f0442ad3f186278669ebb85773aee8f.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3348
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
64KB

MD5
16509aded9ac4c04dffa7b267ffe5522

SHA1
e8d6678899d6d961be53a05a4d7ec8e5bd733c34

SHA256
42ff812c230746748a21472903f9a56096904a74d6db2d14870dbd9f19898e2a

SHA512
5b0c2a236498ba75585ab41e47bafebb651a866b7f08e92910a3bc898836faa0fa5ff07b026306b6b57d51f2a120f634262b4d6ff462c9ce6fc73583ad7fdb75

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
50KB

MD5
2f3fdc03f6c838fdd176402e3af417f7

SHA1
55b66e951be9ac799f1ac8851aaad1c37cd62f5c

SHA256
324a97b2747adba63db9896a19819ff098ac4199f762654973916ed19ffe4e83

SHA512
7058f52e30fb29e7675744587ed14260b02b297fd966557a63e290481766fa68efd2c4a3b6894ccc2ed4a50465066cf8b2c1cd1077eb354dc2bc5218539077e3

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
90KB

MD5
59979c96ce7a1104bd357adb56561806

SHA1
15282aab22d8cca5f7ac767e3c77f56ffe8e1f1c

SHA256
2fa1fc89d6214b802552c56ec4ef13c76fadf5942b645737f8878018740e8eb6

SHA512
071154a70e0a412af58fbe06897b41c04c55a65c8a21f911870dd2878e4bbd9ca1dbe438318b469f64d71643bc623b7e2d7b7cedc5fc89d92901dd32c8523466

Download Submit
C:\Windows\SysWOW64\svhost.exe

Filesize
60KB

MD5
4f8dca7b56703fd0653ae7d9264a08ff

SHA1
fe6184257d96df970096ce07562aa26cef42d923

SHA256
43e1896ec8b3cd51552fb2a98620d178af2ce31f370ff211ce023ea14f3c112b

SHA512
9191ef4a80a85fc6020f3b098470c869e6cde93101728720df5f2ce8c1c9ec5312625ac0baed23807f4c45edb4062c309587e59b1377535d7566933fe9516155

Download Submit
C:\Windows\SysWOW64\svhost.exe

Filesize
38KB

MD5
b48d34090719816adc279117be06bb15

SHA1
e915a728f55b32459a301974b2099c3474467ce7

SHA256
ab8ea99eb6f21a65719bfbb6c8d317b08d90c0f18f1f6aa2ff7f9eae1f1b9e6f

SHA512
038907cade16945fc34952c9f11de96a3f47c80954fee1c5235125948154fcb5724aaf215f6eebb4c35adaadcb64bae3f34cd38ab80ee606676fa2578a22d076

Download Submit
C:\Windows\SysWOW64\svhost.exe

Filesize
62KB

MD5
9769fb1f8fabcd431e5708aeb5ee092a

SHA1
9693026f7fd86dd3f45c664a7bdd65e1ff8a8d79

SHA256
a0b3b598d1ee5a55a1cc5ad4672cec58a1f3f0225d15013b411954dbed51fa72

SHA512
805e3990c40ced9e3fd7d37288c9fc06e0592adf0d237fa7051e4f8f23e54173caac4593a6ab4b2155158863b2e5e25582cae8a0b7e6de9006a37fd544ccf569

Download Submit
memory/3348-22-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-30-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads