44ef1ea44584c0012c789ec055632eab942a4e5c9638bdf63e2735ffce9e4b03

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07316f1c29fea60c876649ad47a7a070.exe
Size

268KB
MD5

07316f1c29fea60c876649ad47a7a070
SHA1

904fb86d06f7dcedc9ab830e9d1537d59d8c8839
SHA256

44ef1ea44584c0012c789ec055632eab942a4e5c9638bdf63e2735ffce9e4b03
SHA512

618acbc2724b660dc507e66b8c2976b24a0ca89333acfa61194c05ca9c15808429338e22e3288357bb6c4d031dd5c78e984eba3fd279738a0807928bc6ae3adc
SSDEEP

6144:5I1v9PfKoXjllMoVpfZLijwDAhtCx6o3yG4/xFk:54vFfVzv2qZitZFk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\07316F~1.EXE,"	07316f1c29fea60c876649ad47a7a070.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07316F~1.EXE"	07316f1c29fea60c876649ad47a7a070.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d872462 = "N\u008f¾FÊc\x18j‚¶\v]¤·\u008fŠºb6Ñ¡§qFbŸªô\x0f¹â¸(„M›yTÌú¹ûíz¼6\x16§g‰\x1dxw6ÉšŸ>eËÂï\"ÜF¿\u00adBÜ©õì€¾@&)Éˆ˜#”‘¹ÉÉãÞHav¼¢‘–ê©ûáÆÃ\b~¹7&–)\x14‡ìø\rú)ƒ\x14J™Ð[£\x05Sü\x01’€G°U’Ë:õW£Ž[‡5m\\ã\x02ƒ\x06‘ˆ\u008f%‡†‚·ZÞ\x04ÊÙ§\u008fñ\x14‘\x1f\u008d•[¬8loØ¬'x[\v8’õ‘x\x14\x1a?š\x04\fl¼ºô.3.‘Oì\x06\x1bá0Å\t\vú\x19Q"	07316f1c29fea60c876649ad47a7a070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07316F~1.EXE"	07316f1c29fea60c876649ad47a7a070.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	07316f1c29fea60c876649ad47a7a070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	07316f1c29fea60c876649ad47a7a070.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	07316f1c29fea60c876649ad47a7a070.exe
2204	07316f1c29fea60c876649ad47a7a070.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2204	07316f1c29fea60c876649ad47a7a070.exe
Token: SeSecurityPrivilege	2204	07316f1c29fea60c876649ad47a7a070.exe
Token: SeSecurityPrivilege	2204	07316f1c29fea60c876649ad47a7a070.exe
Token: SeSecurityPrivilege	2204	07316f1c29fea60c876649ad47a7a070.exe

C:\Users\Admin\AppData\Local\Temp\07316f1c29fea60c876649ad47a7a070.exe
"C:\Users\Admin\AppData\Local\Temp\07316f1c29fea60c876649ad47a7a070.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77c8e81c2a67b565d70a00de3c7471ca

SHA1
730621a9f0ca3c9fda2ca50106bedce6f34bb6f3

SHA256
8412389e8af2f531fb3ed4e9ba471f609e5d980fe010bb2e81541a6d31c3fb74

SHA512
31dd5dc290f8a3428de76d166ff65b24bd43b0f500379601688d114e9931ea193d9ef7d1140c9100f3e19ad5183478cab3afadb22f1f4a2456fe9c5662a24762

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9D7.tmp

Filesize
45KB

MD5
3d6bdcb4faf3c6cd1bb292847e3d9085

SHA1
48c111204e97734fefb0416b983be02eb5a7b5b4

SHA256
1d41daca5d7400d9b853f0eb6d9c4da657b238e2c10e512f635c4394353e294e

SHA512
e7383921aaca03835c948415008aa82ee362a154bdb4a067dfcac7d0e91e8c1d09f887f1de52ec5ef62632bc788a674cab42fa8aebdf08e8800bc6c2b069c0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC43.tmp

Filesize
715B

MD5
587be65a5dd511a9c7cf5c53a0dde1df

SHA1
47bf97e955842990ef23b199d9c448886af30d15

SHA256
4f149c2ac62924f2999c207ec8a05337aafd43cccbddaf1c75dfb00d09a341fa

SHA512
10828a505bef5081749a1709063a43e02dbd1a5e6b71c7577914d65993632d82741bcc90f17db919fa3a52ca5b543b5783b8842a2e40c534dda1ca0ab1665873

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA09.tmp

Filesize
65KB

MD5
b536389551315cd85fd3f56fb4789efb

SHA1
d48e2d32f0b113600e6c927d1de718d95b9aea91

SHA256
7ac2695874c7638f0b5c2a7bb5d999987e173baf0e2d998a5791fa982e060541

SHA512
45f702b5e687d23a489ca4dafd247dac022924068a80f8cda8a6818cf26048449c7108460644cfcb4c54727bafefa9b6431989ec4a7ca7eeb2bd9a6f59501344

Download Submit
memory/2204-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2204-1-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2204-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2204-6-0x00000000023C0000-0x000000000247F000-memory.dmp

Filesize
764KB

Download
memory/2204-8-0x00000000023C0000-0x000000000247F000-memory.dmp

Filesize
764KB

Download
memory/2204-4-0x00000000023C0000-0x000000000247F000-memory.dmp

Filesize
764KB

Download
memory/2204-14-0x00000000023C0000-0x000000000247F000-memory.dmp

Filesize
764KB

Download
memory/2204-12-0x00000000023C0000-0x000000000247F000-memory.dmp

Filesize
764KB

Download
memory/2204-10-0x00000000023C0000-0x000000000247F000-memory.dmp

Filesize
764KB

Download
memory/2204-17-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-20-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-19-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-15-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-58-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-63-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-71-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-77-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-82-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-85-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-89-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-91-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-94-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-96-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-95-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-93-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-92-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-90-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-88-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-86-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-87-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-84-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-83-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-81-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-80-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-79-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-78-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-76-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-75-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-74-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-73-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-72-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-70-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-69-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-68-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-67-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-66-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-65-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-64-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-62-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-61-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-60-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-59-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-57-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-56-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-55-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-54-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-53-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-52-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-51-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download
memory/2204-199-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2204-328-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2204-486-0x0000000002580000-0x0000000002646000-memory.dmp

Filesize
792KB

Download