acb1dfca7bfd3b5e545c9da536b8224d16da898e3c20aef92a7d0fa9a3a4c1be

General

Target

08a6f1b32a9bafd66fd87c69a98dd091.exe
Size

347KB
MD5

08a6f1b32a9bafd66fd87c69a98dd091
SHA1

985b5fb57cbec8816d25fe4a80007d6ba2ab3592
SHA256

acb1dfca7bfd3b5e545c9da536b8224d16da898e3c20aef92a7d0fa9a3a4c1be
SHA512

93c47f187c1e10133136f65e47606e3802fc71c5531de32bf75005b88557818982bca2c4c8bb9906a2aaf6d9cfc0c383d3fd800b24cb70813029e119f4506a4a
SSDEEP

6144:a8iWerxf3j32naYlr3PmldhJTMClnGhL4zGKtbm7OZZWfvuUX7Z25p1zbR9:a8hediaY53+hBMonIpKgKZZWfvuUX7ZE

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\9a30bcf7\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
336	csrss.exe
1952	X

Loads dropped DLL 2 IoCs

pid	Process
1936	08a6f1b32a9bafd66fd87c69a98dd091.exe
1936	08a6f1b32a9bafd66fd87c69a98dd091.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2824	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	31

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{be82c772-285b-b66e-f167-51111c07bcd8}	08a6f1b32a9bafd66fd87c69a98dd091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{be82c772-285b-b66e-f167-51111c07bcd8}\u = "134"	08a6f1b32a9bafd66fd87c69a98dd091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{be82c772-285b-b66e-f167-51111c07bcd8}\cid = "7531178790265625550"	08a6f1b32a9bafd66fd87c69a98dd091.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1936	08a6f1b32a9bafd66fd87c69a98dd091.exe
1936	08a6f1b32a9bafd66fd87c69a98dd091.exe
1936	08a6f1b32a9bafd66fd87c69a98dd091.exe
1936	08a6f1b32a9bafd66fd87c69a98dd091.exe
1952	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe
Token: SeDebugPrivilege	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1224	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	8
PID 1936 wrote to memory of 336	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	26
PID 336 wrote to memory of 2604	336	csrss.exe	28
PID 336 wrote to memory of 2604	336	csrss.exe	28
PID 336 wrote to memory of 2704	336	csrss.exe	29
PID 336 wrote to memory of 2704	336	csrss.exe	29
PID 1936 wrote to memory of 1952	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	30
PID 1936 wrote to memory of 1952	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	30
PID 1936 wrote to memory of 1952	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	30
PID 1936 wrote to memory of 1952	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	30
PID 1952 wrote to memory of 1224	1952	X	8
PID 1936 wrote to memory of 2824	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	31
PID 1936 wrote to memory of 2824	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	31
PID 1936 wrote to memory of 2824	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	31
PID 1936 wrote to memory of 2824	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	31
PID 1936 wrote to memory of 2824	1936	08a6f1b32a9bafd66fd87c69a98dd091.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1224
- C:\Users\Admin\AppData\Local\Temp\08a6f1b32a9bafd66fd87c69a98dd091.exe
  "C:\Users\Admin\AppData\Local\Temp\08a6f1b32a9bafd66fd87c69a98dd091.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\9a30bcf7\X
    176.53.17.23:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2824

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2604

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9a30bcf7\@

Filesize
2KB

MD5
24ad2300edca581fefcc222d7a72b23f

SHA1
f589b5fcc846c1b4e1bb57739584c8e37aa0fba5

SHA256
710d6fd93ddec2cc78175ef409bf2d216f36b3102a55757c5ac53bde592f2161

SHA512
224ae9cb7d2234182605aa4f021d2922f63af0fed96f9ccd20bdf9e5aaeb18fbe7527527cd4ecdcb4a931fb66717b0a39d526d259f9cb09877f02db0c409e732

Download Submit
\Users\Admin\AppData\Local\9a30bcf7\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Windows\System32\consrv.dll

Filesize
29KB

MD5
2585231190620fb4557aacf4515f83e1

SHA1
8277ce556c7de0eacc724b94d04855a51a9292e1

SHA256
346abe431b22efc5b6134991139106a9a08abc947eb0c9026277d120c1101b64

SHA512
921e330f8b2a4c5bba84b43c255132c849a4b7641228f9c998a18acb7743942cd9763a056fe18bfa56e72e03de8124c35504e57d4c7ab18a6928aa07515c93ef

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
6bca580c417f666956f359cca1dd990d

SHA1
fd4ae918014871ff4136981b26ce3c0e66179771

SHA256
d6e1b59ebda95d34c9d8a0cedc6bbb2b2d6f51891567fd697f99e26af2cee6b0

SHA512
153cc425c76ea71ac11d43399f3b7fdc104fdcc2a629d81b76252fc84bc3d81331bff9abcc7a220049cdf36f6bd7b69fb47213cd4ed3bb9f23d3bd052e8eda9d

Download Submit
memory/336-30-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/336-36-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/336-27-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/336-29-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/1224-54-0x0000000002B30000-0x0000000002B3B000-memory.dmp

Filesize
44KB

Download
memory/1224-57-0x0000000002B50000-0x0000000002B5B000-memory.dmp

Filesize
44KB

Download
memory/1224-62-0x0000000002B50000-0x0000000002B5B000-memory.dmp

Filesize
44KB

Download
memory/1224-12-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/1224-23-0x0000000002B20000-0x0000000002B22000-memory.dmp

Filesize
8KB

Download
memory/1224-16-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/1224-20-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/1224-55-0x0000000002B50000-0x0000000002B5B000-memory.dmp

Filesize
44KB

Download
memory/1224-50-0x0000000002B30000-0x0000000002B3B000-memory.dmp

Filesize
44KB

Download
memory/1224-47-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/1224-45-0x0000000002B30000-0x0000000002B3B000-memory.dmp

Filesize
44KB

Download
memory/1936-31-0x0000000000400000-0x0000000000464BD0-memory.dmp

Filesize
402KB

Download
memory/1936-22-0x0000000001F60000-0x0000000002060000-memory.dmp

Filesize
1024KB

Download
memory/1936-35-0x0000000001F60000-0x0000000002060000-memory.dmp

Filesize
1024KB

Download
memory/1936-34-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/1936-32-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/1936-1-0x0000000000400000-0x0000000000464BD0-memory.dmp

Filesize
402KB

Download
memory/1936-21-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/1936-9-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/1936-6-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/1936-58-0x0000000000400000-0x0000000000464BD0-memory.dmp

Filesize
402KB

Download
memory/1936-60-0x0000000000400000-0x0000000000464BD0-memory.dmp

Filesize
402KB

Download
memory/1936-61-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/1936-3-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/1936-2-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads