Analysis
-
max time kernel
51s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26-12-2023 15:44
General
-
Target
79e37b464938e19ec450f2408bf5dd07.exe
-
Size
1.0MB
-
MD5
79e37b464938e19ec450f2408bf5dd07
-
SHA1
11caa525e5a5061a4e6b5b86006601c784b6a95f
-
SHA256
a27e62c716fd3e19d53fe27c25a3238d805fecc13375b46c67409eabc0c7275e
-
SHA512
fc00ca78ee6d6aeb7f259f0a854008057d50c1682adddb624ef56a6a770fc5657576b6d801260db7a3e4fc2247de64202baea4ab9a8c509bc696c32f55c55a30
-
SSDEEP
24576:wT+XEHz48vLwhrAdKu0Gr1yDJXvKoxuecF3C58ospiEwV5wXC:wTn8kdK7amZKwuPF3wFHwy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\79e37b464938e19ec450f2408bf5dd07.exe"C:\Users\Admin\AppData\Local\Temp\79e37b464938e19ec450f2408bf5dd07.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\79e37b464938e19ec450f2408bf5dd07.exeC:\Users\Admin\AppData\Local\Temp\79e37b464938e19ec450f2408bf5dd07.exe2⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
76KB
-
Filesize
100KB
-
Filesize
100KB