6fb6fbc925ade4ca5155f171df86caf212de82cec61adfc793c74176b5702071

General

Target

0c046c3dcc256327ee461aa5ffe9ea6a.exe
Size

332KB
MD5

0c046c3dcc256327ee461aa5ffe9ea6a
SHA1

65685aa3fa515b63994dc74fa5569c3c060fa6a0
SHA256

6fb6fbc925ade4ca5155f171df86caf212de82cec61adfc793c74176b5702071
SHA512

cd3d5233451347fe24b20aa93d921f8907d3cfa440052c2a3c9c2b20a4f0aaa7c05a4b5e0f4027160e80e48d3968d579d4e41f92045af9bf41bace00e6e50e65
SSDEEP

6144:ESDlRrFSt0BAFiptt+NL7CdZRU26i9SdQCxhu+smEHGgpAAMVvwzkPxvhL7nBuSw:EuQxFiBkyhU2l9o/vOG0jMVYQVhr

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\3a800af5\\X"	Explorer.EXE

Executes dropped EXE 2 IoCs

pid	Process
336	csrss.exe
3040	X

Loads dropped DLL 2 IoCs

pid	Process
1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe
1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717112e1-f980-f90b-05d8-7bcbd5430dc8}\u = "71"	0c046c3dcc256327ee461aa5ffe9ea6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717112e1-f980-f90b-05d8-7bcbd5430dc8}\cid = "6792625113074769860"	0c046c3dcc256327ee461aa5ffe9ea6a.exe
Key created	\registry\machine\Software\Classes\Interface\{717112e1-f980-f90b-05d8-7bcbd5430dc8}	0c046c3dcc256327ee461aa5ffe9ea6a.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe
1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe
1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe
3040	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe
Token: SeDebugPrivilege	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 336	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe	25
PID 336 wrote to memory of 2076	336	csrss.exe	28
PID 336 wrote to memory of 2076	336	csrss.exe	28
PID 336 wrote to memory of 2920	336	csrss.exe	29
PID 336 wrote to memory of 2920	336	csrss.exe	29
PID 1104 wrote to memory of 3040	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe	30
PID 1104 wrote to memory of 3040	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe	30
PID 1104 wrote to memory of 3040	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe	30
PID 1104 wrote to memory of 3040	1104	0c046c3dcc256327ee461aa5ffe9ea6a.exe	30
PID 3040 wrote to memory of 1392	3040	X	2

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1392
- C:\Users\Admin\AppData\Local\Temp\0c046c3dcc256327ee461aa5ffe9ea6a.exe
  "C:\Users\Admin\AppData\Local\Temp\0c046c3dcc256327ee461aa5ffe9ea6a.exe"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\3a800af5\X
    193.105.154.210:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3040

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2076

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3a800af5\@

Filesize
2KB

MD5
622d4252e92468823fefbf58fb3aa7b9

SHA1
1709c3a3b111c5185de7caa60307b65cc7717c02

SHA256
6b27b40d3eac33ec649797ff74b0d91a981fabaf2705651f77a42adf5b6b9c52

SHA512
2059f8177bb0b3d996281cf79beb2dc6670b5d9549721ef070c2e1b72476b253d5de629779011802400f0ad4baf9c79eb156f75b3b07bf6a1808a8d706ba034d

Download Submit
C:\Users\Admin\AppData\Local\3a800af5\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
cfc07dbcde57f9e6db34eb3ce2000d0e

SHA1
9ffa3ecf4a7bb0f34b8dc746ff3334625afb4c7c

SHA256
0dc6e0a6eb27625e21c4cd6ca9f3742abf807719e4968227bbcd9268113a46ba

SHA512
133235793ac8739679d0fc45eca73de4f35ad04b636da48f00af83165c482710b87f819d1f2557b6b8534b59383a9262226d3dfc3b130b8758449bbf8d539b8c

Download Submit
memory/336-27-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/336-17-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/336-19-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/336-20-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/1104-24-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1104-6-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1104-13-0x00000000022C0000-0x00000000023C0000-memory.dmp

Filesize
1024KB

Download
memory/1104-21-0x0000000000400000-0x0000000000460624-memory.dmp

Filesize
385KB

Download
memory/1104-22-0x00000000022C0000-0x00000000023C0000-memory.dmp

Filesize
1024KB

Download
memory/1104-23-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1104-1-0x0000000000400000-0x0000000000460624-memory.dmp

Filesize
385KB

Download
memory/1104-25-0x0000000000400000-0x0000000000460624-memory.dmp

Filesize
385KB

Download
memory/1104-9-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1104-12-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1104-35-0x0000000000400000-0x0000000000460624-memory.dmp

Filesize
385KB

Download
memory/1104-2-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1104-38-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1104-3-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1392-42-0x0000000002220000-0x000000000222B000-memory.dmp

Filesize
44KB

Download
memory/1392-46-0x0000000002220000-0x000000000222B000-memory.dmp

Filesize
44KB

Download
memory/1392-47-0x00000000026E0000-0x00000000026EB000-memory.dmp

Filesize
44KB

Download
memory/1392-37-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/1392-49-0x00000000026E0000-0x00000000026EB000-memory.dmp

Filesize
44KB

Download
memory/1392-36-0x0000000002220000-0x000000000222B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads