863b45178e8083aadf93fe71452843b9e1b8ca40a2df3a18ade9b13b99aa38e2

Analysis

max time kernel
158s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10e8635e86b91b87a34885a520b66d4b.exe
Size

100KB
MD5

10e8635e86b91b87a34885a520b66d4b
SHA1

11d5b48d38591eb30ee6f8ae38cb8c18a766dc8b
SHA256

863b45178e8083aadf93fe71452843b9e1b8ca40a2df3a18ade9b13b99aa38e2
SHA512

2ebc897ce8b9c0b18ab0c361048ac2df1964ee91d8de2ed1a82effc16273a3b1c0bb1f296925af07dd443ade8a4a1f368add9e949737b92b918e6dd5ade4bbbe
SSDEEP

1536:Ihp/JsoeYQOXPTvIuYY80UGMH1wvSZeM7+Rot:IneYQOfTQuYY80URYEX+Rot

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1884	sysmgr.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4"	sysmgr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	sysmgr.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	sysmgr.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	sysmgr.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	sysmgr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svc.dat	10e8635e86b91b87a34885a520b66d4b.exe
File opened for modification	C:\Windows\conf.dat	sysmgr.exe
File created	C:\Windows\conf.dat	sysmgr.exe
File created	C:\Windows\sysmgr.exe	10e8635e86b91b87a34885a520b66d4b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1884	1900	10e8635e86b91b87a34885a520b66d4b.exe	16
PID 1900 wrote to memory of 1884	1900	10e8635e86b91b87a34885a520b66d4b.exe	16
PID 1900 wrote to memory of 1884	1900	10e8635e86b91b87a34885a520b66d4b.exe	16
PID 1900 wrote to memory of 1884	1900	10e8635e86b91b87a34885a520b66d4b.exe	16

C:\Users\Admin\AppData\Local\Temp\10e8635e86b91b87a34885a520b66d4b.exe
"C:\Users\Admin\AppData\Local\Temp\10e8635e86b91b87a34885a520b66d4b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\sysmgr.exe
  "C:\Windows\sysmgr.exe"
  2⤵
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1900-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads