c297e9800cb0f24bd4888d85229da9bae9dbb05720f45816e6da48fa8e286a68

Analysis

max time kernel
169s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f85c3c2322df8f89de4537fd5463e727.exe
Size

3.2MB
MD5

f85c3c2322df8f89de4537fd5463e727
SHA1

89492dfa6d4f158d45fc8195bd68006867626073
SHA256

c297e9800cb0f24bd4888d85229da9bae9dbb05720f45816e6da48fa8e286a68
SHA512

684a854048b4f2d0ace544ad68b387dce3174cab9b0702753e540673dcd25adcaf5e19ff4c20d2d449b2cbcec976f7656c8ca9f4b6cc390e6fb21202aa8a18f3
SSDEEP

24576:qB7KwjHfZP1sQX0Zi9fzSVUCLPq//fLGl0koRybM:sKwTfEfwEy/7Co

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\hotfix.exe"	f85c3c2322df8f89de4537fd5463e727.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	f85c3c2322df8f89de4537fd5463e727.exe
2664	f85c3c2322df8f89de4537fd5463e727.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2464	2664	f85c3c2322df8f89de4537fd5463e727.exe	91
PID 2664 wrote to memory of 2464	2664	f85c3c2322df8f89de4537fd5463e727.exe	91
PID 2664 wrote to memory of 2464	2664	f85c3c2322df8f89de4537fd5463e727.exe	91

C:\Users\Admin\AppData\Local\Temp\f85c3c2322df8f89de4537fd5463e727.exe
"C:\Users\Admin\AppData\Local\Temp\f85c3c2322df8f89de4537fd5463e727.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\jsdfgs.bat
  2⤵
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-0-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-5-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-6-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-7-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-14-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-15-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-16-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-17-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-18-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-19-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-20-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-21-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-22-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-23-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/2664-24-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download