54b9220e08a07ffa68fbfb853a1164ae6cee070f1bd8b56be1a985422017251d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d9f42de60d7482b1915cc5fb5235b0.exe
Size

237KB
MD5

08d9f42de60d7482b1915cc5fb5235b0
SHA1

1cde7b6d5cc3cce4be0637ca85a0fe6a00e7ee8d
SHA256

54b9220e08a07ffa68fbfb853a1164ae6cee070f1bd8b56be1a985422017251d
SHA512

621f1d957259361fa6392dacaa043b1a59e2daba391c7b32d47f30e6053f18695894504e9fa7626368dc6181dfb2c62f2ee5b03d0a6f1de2565de98291ba8fdf
SSDEEP

6144:LKuFF5k58rcCmTj0VpCbcR8jxaW35MK9y09:LKYe5VC8j0zCAR45yS

Score

6^/10

persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3c11b92e = "Ï€ê\x1e\aŽì\a_\u008d²\x0eå’R‡t\x14\n\x1a’sŠþ“¹%z–×±qÖÆô–Všº¸\x18@VÌSæt\x0f\x16\x16Ž\x1ac\u009d±/ßÉ¸ i\u00a0wót»ÌÁë–2jŒ\|Ö¦«\x02Ôª“\x02ËŠ#Þ‹ûV;F\x1b>”,N<b¶»6”›œ\\Ö+Cc\|,RäF¬\|sËÞ\n[lœ\x1c{\\š\x14ôú¼¶Ûbê.>³Û[c\x04”<\n³äúLªŒÔÄR´ÜLBŠ6Óê\|”[Ò#Sâ\x04ê$ªj4ªÌCDCÓÂ\x04ŠúKcÛ„“úJ\x1cÒ[:är¢Z;‚k¬fÚ´’Zž4œBC\x0e\"fZ¬Ó£ÊÞ¤úFœ:kÊû\x1c”ÄúŒú³Î’~6bšSÄF“ê{r\x1b’6\x1cîºª3c11b92e"	08d9f42de60d7482b1915cc5fb5235b0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe
4932	08d9f42de60d7482b1915cc5fb5235b0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4932	08d9f42de60d7482b1915cc5fb5235b0.exe
Token: SeSecurityPrivilege	4932	08d9f42de60d7482b1915cc5fb5235b0.exe
Token: SeSecurityPrivilege	4932	08d9f42de60d7482b1915cc5fb5235b0.exe

C:\Users\Admin\AppData\Local\Temp\08d9f42de60d7482b1915cc5fb5235b0.exe
"C:\Users\Admin\AppData\Local\Temp\08d9f42de60d7482b1915cc5fb5235b0.exe"
1⤵
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64C5.tmp

Filesize
22KB

MD5
5042501f1ea4800ba940f6d3bd903700

SHA1
863cfe22ea7e266a9e6e2909f925e5252e0dfbdc

SHA256
139a39f4493df47c78bb601f74a79f276a72a6da533b957e3ae4891533578683

SHA512
0a33d77023833e0fde7bdffe4abafa5fc0347150429987f2b6b15d9e67785bf7d275d314297ec5a630580f820705f3f87df644c27b12a34b76fc6b05a163f2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B18.tmp

Filesize
12KB

MD5
d026a0b902227e9729d5096a8ccc4f79

SHA1
b9dac8f5667d0e4037901f334ef679af2d10e02b

SHA256
0b821321705f84713d8f0cd93b6fb5dc416f08fbaf9268357e437b38200fa696

SHA512
e5d8575f473416391d905490efa8bcc1904e6d97ed5c9c5b1608ecbfec78881cca08fd5a998d6834b73b0334fdc8f9ccf6675d8a0f392dac90aa959944a645a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F4F.tmp

Filesize
1KB

MD5
d232a6db800ad001c6faac22b0d0a63c

SHA1
f96551b29d739d795adb3596d79df3c9a0150524

SHA256
7e89df677738ed0e331c3086f970c51134023aa47f4771c6fdcfe4e8f5324557

SHA512
020d2c633daf13ef46e5ac00e57e0ba2144070f2d1edb47c0f957e89e7dfeaf081d745a405a4e781d10e16a7c68ae0048f46f1785b3b893940fef4387a33ff16

Download Submit
C:\Users\Admin\AppData\Local\Temp\86BE.tmp

Filesize
1KB

MD5
63a222ff934f3cb4ddf6fde63897ddd3

SHA1
c016fcba81861f386a53f55237055e9fdb7bdffe

SHA256
aeb3217c642a7ca1fa404af7a7b8031fbe504e69ee5f401d8ee734625adf4f1e

SHA512
d6427b7b7514d07c130669a98bd38b63dff643ef31c02555d62692fb404b614106be80ec8b1241021241b404a8b62e5e657658e5918b183091d1dee1d8b26783

Download Submit
C:\Users\Admin\AppData\Local\Temp\B832.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E716.tmp

Filesize
2KB

MD5
3dc5738383edbc3fb4630fa75ece8ccd

SHA1
8b95e96facdf9d9cb08d2ab7697e4f493631db12

SHA256
b7b191a79c40457a76086c7c9ce1b3becec755198bec9ce50636e9cbd5f4a5c4

SHA512
2eaa440299cc84599bbd5d063fa5379ce520938d569ec7a882ca6d5070e9d961761151af9041c1f9c1c28e9ae2cc160ec04c8049ca1e36a61faea13ccf8707b5

Download Submit
memory/4932-154-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-148-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-4-0x00000000022F0000-0x00000000023A4000-memory.dmp

Filesize
720KB

Download
memory/4932-7-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-8-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-12-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-10-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-5-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-120-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-131-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-132-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-135-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-147-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-156-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-159-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-160-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-164-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-158-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-157-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-155-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-1-0x00000000007A0000-0x00000000007F8000-memory.dmp

Filesize
352KB

Download
memory/4932-153-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-152-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-151-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-150-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-2-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4932-145-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-130-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-129-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-128-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-127-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-126-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-125-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-124-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-123-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-122-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-121-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-119-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-118-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-117-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-116-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-115-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-114-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-113-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-0-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4932-112-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download
memory/4932-391-0x00000000007A0000-0x00000000007F8000-memory.dmp

Filesize
352KB

Download
memory/4932-398-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4932-447-0x00000000028C0000-0x0000000002983000-memory.dmp

Filesize
780KB

Download