28ad6e46e20367d7608d87023d7f50b2efb425b46f0797d1e57d38bdde6b5b9d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5216bb522237025747fb9842fd766140.exe
Size

152KB
MD5

5216bb522237025747fb9842fd766140
SHA1

99c6f02c60f09e7baa0a46b387111b599fb9fbd7
SHA256

28ad6e46e20367d7608d87023d7f50b2efb425b46f0797d1e57d38bdde6b5b9d
SHA512

36053ab90193424d6c014017aeaf127c778108ff8d972e662a5040d9c62124c22042d5c195650a1bee183830867dc4b5bcabaac97daed11e3d50be7608d420cb
SSDEEP

3072:k/QMFZvOsi67UvPql3psQl0XD6VIOsHbM2N2eGWYxJ9jTbRfZUh:/MVRUvQ3rXKLbM2cIS9jXRqh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	5216bb522237025747fb9842fd766140.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntos.exe	5216bb522237025747fb9842fd766140.exe
File created	C:\Windows\SysWOW64\ntos.exe	5216bb522237025747fb9842fd766140.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 8 set thread context of 4948	8	5216bb522237025747fb9842fd766140.exe	89

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4948	5216bb522237025747fb9842fd766140.exe
4948	5216bb522237025747fb9842fd766140.exe
4948	5216bb522237025747fb9842fd766140.exe
4948	5216bb522237025747fb9842fd766140.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	5216bb522237025747fb9842fd766140.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 8 wrote to memory of 4948	8	5216bb522237025747fb9842fd766140.exe	89
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5
PID 4948 wrote to memory of 636	4948	5216bb522237025747fb9842fd766140.exe	5

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\5216bb522237025747fb9842fd766140.exe
"C:\Users\Admin\AppData\Local\Temp\5216bb522237025747fb9842fd766140.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\5216bb522237025747fb9842fd766140.exe
  "C:\Users\Admin\AppData\Local\Temp\5216bb522237025747fb9842fd766140.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/8-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/8-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/636-153-0x000000001DE20000-0x000000001DE42000-memory.dmp

Filesize
136KB

Download
memory/636-181-0x000000001DF70000-0x000000001DF92000-memory.dmp

Filesize
136KB

Download
memory/636-29-0x000000001D850000-0x000000001D872000-memory.dmp

Filesize
136KB

Download
memory/636-33-0x000000001D880000-0x000000001D8A2000-memory.dmp

Filesize
136KB

Download
memory/636-37-0x000000001D8B0000-0x000000001D8D2000-memory.dmp

Filesize
136KB

Download
memory/636-49-0x000000001D940000-0x000000001D962000-memory.dmp

Filesize
136KB

Download
memory/636-53-0x000000001D970000-0x000000001D992000-memory.dmp

Filesize
136KB

Download
memory/636-137-0x000000001DD60000-0x000000001DD82000-memory.dmp

Filesize
136KB

Download
memory/636-41-0x000000001D8E0000-0x000000001D902000-memory.dmp

Filesize
136KB

Download
memory/636-45-0x000000001D910000-0x000000001D932000-memory.dmp

Filesize
136KB

Download
memory/636-57-0x000000001D9A0000-0x000000001D9C2000-memory.dmp

Filesize
136KB

Download
memory/636-65-0x000000001DA00000-0x000000001DA22000-memory.dmp

Filesize
136KB

Download
memory/636-69-0x000000001DA30000-0x000000001DA52000-memory.dmp

Filesize
136KB

Download
memory/636-73-0x000000001DA60000-0x000000001DA82000-memory.dmp

Filesize
136KB

Download
memory/636-81-0x000000001DAC0000-0x000000001DAE2000-memory.dmp

Filesize
136KB

Download
memory/636-85-0x000000001DAF0000-0x000000001DB12000-memory.dmp

Filesize
136KB

Download
memory/636-89-0x000000001DB20000-0x000000001DB42000-memory.dmp

Filesize
136KB

Download
memory/636-93-0x000000001DB50000-0x000000001DB72000-memory.dmp

Filesize
136KB

Download
memory/636-97-0x000000001DB80000-0x000000001DBA2000-memory.dmp

Filesize
136KB

Download
memory/636-101-0x000000001DBB0000-0x000000001DBD2000-memory.dmp

Filesize
136KB

Download
memory/636-109-0x000000001DC10000-0x000000001DC32000-memory.dmp

Filesize
136KB

Download
memory/636-105-0x000000001DBE0000-0x000000001DC02000-memory.dmp

Filesize
136KB

Download
memory/636-77-0x000000001DA90000-0x000000001DAB2000-memory.dmp

Filesize
136KB

Download
memory/636-117-0x000000001DC70000-0x000000001DC92000-memory.dmp

Filesize
136KB

Download
memory/636-121-0x000000001DCA0000-0x000000001DCC2000-memory.dmp

Filesize
136KB

Download
memory/636-129-0x000000001DD00000-0x000000001DD22000-memory.dmp

Filesize
136KB

Download
memory/636-133-0x000000001DD30000-0x000000001DD52000-memory.dmp

Filesize
136KB

Download
memory/636-141-0x000000001DD90000-0x000000001DDB2000-memory.dmp

Filesize
136KB

Download
memory/636-145-0x000000001DDC0000-0x000000001DDE2000-memory.dmp

Filesize
136KB

Download
memory/636-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/636-25-0x000000001D820000-0x000000001D842000-memory.dmp

Filesize
136KB

Download
memory/636-157-0x000000001DE50000-0x000000001DE72000-memory.dmp

Filesize
136KB

Download
memory/636-61-0x000000001D9D0000-0x000000001D9F2000-memory.dmp

Filesize
136KB

Download
memory/636-165-0x000000001DEB0000-0x000000001DED2000-memory.dmp

Filesize
136KB

Download
memory/636-169-0x000000001DEE0000-0x000000001DF02000-memory.dmp

Filesize
136KB

Download
memory/636-173-0x000000001DF10000-0x000000001DF32000-memory.dmp

Filesize
136KB

Download
memory/636-149-0x000000001DDF0000-0x000000001DE12000-memory.dmp

Filesize
136KB

Download
memory/636-185-0x000000001DFA0000-0x000000001DFC2000-memory.dmp

Filesize
136KB

Download
memory/636-193-0x000000001E000000-0x000000001E022000-memory.dmp

Filesize
136KB

Download
memory/636-197-0x000000001E030000-0x000000001E052000-memory.dmp

Filesize
136KB

Download
memory/636-189-0x000000001DFD0000-0x000000001DFF2000-memory.dmp

Filesize
136KB

Download
memory/636-205-0x000000001E090000-0x000000001E0B2000-memory.dmp

Filesize
136KB

Download
memory/636-209-0x000000001E0C0000-0x000000001E0E2000-memory.dmp

Filesize
136KB

Download
memory/636-217-0x000000001E120000-0x000000001E142000-memory.dmp

Filesize
136KB

Download
memory/636-221-0x000000001E150000-0x000000001E172000-memory.dmp

Filesize
136KB

Download
memory/636-229-0x000000001E1B0000-0x000000001E1D2000-memory.dmp

Filesize
136KB

Download
memory/636-233-0x000000001E1E0000-0x000000001E202000-memory.dmp

Filesize
136KB

Download
memory/636-225-0x000000001E180000-0x000000001E1A2000-memory.dmp

Filesize
136KB

Download
memory/636-213-0x000000001E0F0000-0x000000001E112000-memory.dmp

Filesize
136KB

Download
memory/636-201-0x000000001E060000-0x000000001E082000-memory.dmp

Filesize
136KB

Download
memory/636-177-0x000000001DF40000-0x000000001DF62000-memory.dmp

Filesize
136KB

Download
memory/636-161-0x000000001DE80000-0x000000001DEA2000-memory.dmp

Filesize
136KB

Download
memory/636-125-0x000000001DCD0000-0x000000001DCF2000-memory.dmp

Filesize
136KB

Download
memory/636-113-0x000000001DC40000-0x000000001DC62000-memory.dmp

Filesize
136KB

Download
memory/4948-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download