b4a027a076dedcf298f7d698247c4e421cd99ee4631968ccd6b3cd95149a9f37

General

Target

255c477720714631ab83f35df3a57e2e.exe
Size

495KB
MD5

255c477720714631ab83f35df3a57e2e
SHA1

4744210bbfe19bbc5f7228b4e082713a74ffdd37
SHA256

b4a027a076dedcf298f7d698247c4e421cd99ee4631968ccd6b3cd95149a9f37
SHA512

4004f30b3b67f97826ddbac4169e85b8b81ad627d39326b218f99e1a55ffc3ea72c42672d522175ca8d7e62f1292ea5d8cd8c1df83aec5ccd82f9821d627e23c
SSDEEP

12288:ON2i+m+iPsCC3uF3Z4mxx9oQkA/F4qaYP:Vm+qsCC+QmX95jf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\Impersonate = "0"	255c477720714631ab83f35df3a57e2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\DllName = "C:\\Windows\\System32\\Systen.dll"	255c477720714631ab83f35df3a57e2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\Startup = "ServiceMain"	255c477720714631ab83f35df3a57e2e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS	255c477720714631ab83f35df3a57e2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	255c477720714631ab83f35df3a57e2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS	255c477720714631ab83f35df3a57e2e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\Asynchronous = "1"	255c477720714631ab83f35df3a57e2e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systen.dll	255c477720714631ab83f35df3a57e2e.exe
File opened for modification	C:\Windows\SysWOW64\Systen.dll	255c477720714631ab83f35df3a57e2e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\259398446.dll	255c477720714631ab83f35df3a57e2e.exe
File created	C:\Windows\259398524.bat	255c477720714631ab83f35df3a57e2e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	255c477720714631ab83f35df3a57e2e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	255c477720714631ab83f35df3a57e2e.exe
Token: SeDebugPrivilege	2020	255c477720714631ab83f35df3a57e2e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 436	2020	255c477720714631ab83f35df3a57e2e.exe	23
PID 2020 wrote to memory of 2572	2020	255c477720714631ab83f35df3a57e2e.exe	28
PID 2020 wrote to memory of 2572	2020	255c477720714631ab83f35df3a57e2e.exe	28
PID 2020 wrote to memory of 2572	2020	255c477720714631ab83f35df3a57e2e.exe	28
PID 2020 wrote to memory of 2572	2020	255c477720714631ab83f35df3a57e2e.exe	28
PID 2020 wrote to memory of 2656	2020	255c477720714631ab83f35df3a57e2e.exe	29
PID 2020 wrote to memory of 2656	2020	255c477720714631ab83f35df3a57e2e.exe	29
PID 2020 wrote to memory of 2656	2020	255c477720714631ab83f35df3a57e2e.exe	29
PID 2020 wrote to memory of 2656	2020	255c477720714631ab83f35df3a57e2e.exe	29

C:\Users\Admin\AppData\Local\Temp\255c477720714631ab83f35df3a57e2e.exe
"C:\Users\Admin\AppData\Local\Temp\255c477720714631ab83f35df3a57e2e.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\259398524.bat" C:\Windows\259398~1.DLL"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\259398524.bat" C:\Users\Admin\AppData\Local\Temp\255C47~1.EXE"
  2⤵
  - Deletes itself
  PID:2656

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\259398524.bat

Filesize
55B

MD5
6e8746e34abb1a9fe60e344ccd504f8f

SHA1
2d758f13f47e6e70c526c006ab62f6c54e58fc88

SHA256
e4ad97c9c116b065cc796b301c561878325b66072dcc62ab8019c4060170adea

SHA512
30344a8c73e1c2f456532249b8cd7160aef24b870dd1da53023ab480e2c5f87ef660096d06e1fd589a71115ec280d058b949de42439fe6153cf47334cc2e3e11

Download Submit
C:\Windows\SysWOW64\Systen.dll

Filesize
371KB

MD5
24693d9b784480c30e6e644cd13343fd

SHA1
aa39376fd000ac88aa7834dde98b349d4a6dab51

SHA256
03b60e59e252cb9a488c80f73261044bef52974940d7fcd324eb1969215ffad7

SHA512
21e15405a8b807c529f20ca93fc227c479fa2d9eae629cb54f3a82c46d7f23785e65c80167e808d1c93f42eec6f191dbbad219ec9e68d8e4fcdc6aa440c5b495

Download Submit
memory/436-20-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2020-14-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2020-5-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2020-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2020-13-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2020-10-0x00000000033C0000-0x0000000003425000-memory.dmp

Filesize
404KB

Download
memory/2020-9-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2020-6-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2020-15-0x00000000031D0000-0x00000000031D2000-memory.dmp

Filesize
8KB

Download
memory/2020-4-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2020-2-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2020-16-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2020-8-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download
memory/2020-35-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2020-34-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2020-36-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2020-37-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads