4416b68e6df741ee9b2185ce941d8b2844165a79a2c2935f7fe9ab22e37836f0

Analysis

max time kernel
10s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 21:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f84f3be979c79c7c668aa26bb23ecf35.exe
Size

268KB
MD5

f84f3be979c79c7c668aa26bb23ecf35
SHA1

b0a88cbcf7db4bf5912743f806da1c1666fba366
SHA256

4416b68e6df741ee9b2185ce941d8b2844165a79a2c2935f7fe9ab22e37836f0
SHA512

e3cec38db17f15d253afc05999670a159a1d55171dbb87c396767a12d08ef598a343273d81dc1833512f99e557452a608f2065f46b9f79921c96246fa32c359d
SSDEEP

6144:bRkn+alqMqDoV0L29KQWFte1RfUuSDe+ArH:bRg+allJ0LcKNyR3SM

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\F84F3B~1.EXE,"	f84f3be979c79c7c668aa26bb23ecf35.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F84F3B~1.EXE"	f84f3be979c79c7c668aa26bb23ecf35.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\8f78b698 = "¼1AB0Š]\x1cAL£Ê„{ÇþŽ8iGÃJÙgáí™Ûó‡\x18òŽ´+W´©ä¡¨\x1eÜêî$R\u008dR\u00a0ùi\u00a0Ì&DÆ\u009dÍÙx#ØÕnPÙÚèXÛ—·kU\x1bOW_ØgíK¯ý[ëg\u00ad“\u008dWgw\a\bíÕî\x03M#\x16·¯\x03;çÀþ®"	f84f3be979c79c7c668aa26bb23ecf35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F84F3B~1.EXE"	f84f3be979c79c7c668aa26bb23ecf35.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2316	f84f3be979c79c7c668aa26bb23ecf35.exe
2316	f84f3be979c79c7c668aa26bb23ecf35.exe
2316	f84f3be979c79c7c668aa26bb23ecf35.exe
2316	f84f3be979c79c7c668aa26bb23ecf35.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2316	f84f3be979c79c7c668aa26bb23ecf35.exe
Token: SeSecurityPrivilege	2316	f84f3be979c79c7c668aa26bb23ecf35.exe
Token: SeSecurityPrivilege	2316	f84f3be979c79c7c668aa26bb23ecf35.exe
Token: SeSecurityPrivilege	2316	f84f3be979c79c7c668aa26bb23ecf35.exe

C:\Users\Admin\AppData\Local\Temp\f84f3be979c79c7c668aa26bb23ecf35.exe
"C:\Users\Admin\AppData\Local\Temp\f84f3be979c79c7c668aa26bb23ecf35.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2316-1-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2316-2-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2316-8-0x0000000002540000-0x00000000025F2000-memory.dmp

Filesize
712KB

Download
memory/2316-14-0x0000000002540000-0x00000000025F2000-memory.dmp

Filesize
712KB

Download
memory/2316-20-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-18-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-16-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-12-0x0000000002540000-0x00000000025F2000-memory.dmp

Filesize
712KB

Download
memory/2316-10-0x0000000002540000-0x00000000025F2000-memory.dmp

Filesize
712KB

Download
memory/2316-6-0x0000000002540000-0x00000000025F2000-memory.dmp

Filesize
712KB

Download
memory/2316-4-0x0000000002540000-0x00000000025F2000-memory.dmp

Filesize
712KB

Download
memory/2316-49-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-65-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-80-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-87-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-86-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-85-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-84-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-83-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-82-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-81-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-79-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-78-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-77-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-76-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-75-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-74-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-73-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-72-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-71-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-70-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-69-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-68-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-67-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-66-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-64-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-63-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-62-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-61-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-60-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-59-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-58-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-57-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-56-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-55-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-54-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-53-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-52-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-51-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-50-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-42-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-48-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-47-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-46-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-45-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-44-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-43-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download
memory/2316-298-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2316-299-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2316-301-0x0000000002700000-0x00000000027B8000-memory.dmp

Filesize
736KB

Download