7861a560e6dab703d8ec5d6e17bcc39741a5d7a0b09cd0942feb7d309a026d57

General

Target

f6c40d26fa7109ee44e50fdf91ea83a7.exe
Size

72KB
MD5

f6c40d26fa7109ee44e50fdf91ea83a7
SHA1

db7387e4451e8ec785053467ddf6fd2c82217136
SHA256

7861a560e6dab703d8ec5d6e17bcc39741a5d7a0b09cd0942feb7d309a026d57
SHA512

3929b537484f7115540f16645e18bdc7c01ecbedc4d48784fdd481b2947a6ca893cab39aedcf5557c678b894646607f7be133b412d4a422f2e1d7ca24858e3b7
SSDEEP

1536:LSWJ77t48O9kf5KO2UftQKwS6Wc0P88t7uHwcJyaD3sbNhxjCM5m:LRqtkfMj6uKwAtPluHpLsPxj

Score

6^/10

persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdlyh.exe"	f6c40d26fa7109ee44e50fdf91ea83a7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kdlyh.exe	f6c40d26fa7109ee44e50fdf91ea83a7.exe
File created	C:\Windows\SysWOW64\kdlyh.exe	f6c40d26fa7109ee44e50fdf91ea83a7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 4560	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe	21

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeSecurityPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeTakeOwnershipPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeLoadDriverPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeSystemProfilePrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeSystemtimePrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeProfSingleProcessPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeIncBasePriorityPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeCreatePagefilePrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeBackupPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeRestorePrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeShutdownPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeDebugPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeSystemEnvironmentPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeChangeNotifyPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeRemoteShutdownPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeUndockPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeManageVolumePrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeImpersonatePrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: SeCreateGlobalPrivilege	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: 33	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: 34	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: 35	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe
Token: 36	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 780	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe	22
PID 4484 wrote to memory of 780	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe	22
PID 4484 wrote to memory of 4560	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe	21
PID 4484 wrote to memory of 4560	4484	f6c40d26fa7109ee44e50fdf91ea83a7.exe	21

C:\Users\Admin\AppData\Local\Temp\f6c40d26fa7109ee44e50fdf91ea83a7.exe
"C:\Users\Admin\AppData\Local\Temp\f6c40d26fa7109ee44e50fdf91ea83a7.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:4560
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4484-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4484-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4484-3-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/4484-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads