992c30fb6592698c55cab1b5f79b935851ffff44fba14fced78509c40adfe590

General

Target

261bb636d6195f5582ab63a70e8e7c95.exe
Size

247KB
MD5

261bb636d6195f5582ab63a70e8e7c95
SHA1

7e24100595806dfb80f01a238fa1cf2bc5bcad26
SHA256

992c30fb6592698c55cab1b5f79b935851ffff44fba14fced78509c40adfe590
SHA512

d40690046dbdd68e50fdce94799564b118c3795d322afb1ccf03ee3ebc4ca91ff5959e0c29251f21fed261dd6204aa7be7cb5c51998b46debdc7785cb7b28ad8
SSDEEP

6144:LLf7LEIC/+gEYMKd1UGg80wcFPnvt7eaxj7WqK:L77BCGgBd+zPrhvMo7Wq

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\b72f5ba2\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
3028	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2304	X
336	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	261bb636d6195f5582ab63a70e8e7c95.exe
2276	261bb636d6195f5582ab63a70e8e7c95.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 3028	2276	261bb636d6195f5582ab63a70e8e7c95.exe	28

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{8e8e4083-5159-4c3c-771c-7aa7863b639b}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8e8e4083-5159-4c3c-771c-7aa7863b639b}\u = "71"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8e8e4083-5159-4c3c-771c-7aa7863b639b}\cid = "2070186572074908746"	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2304	X
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3028	2276	261bb636d6195f5582ab63a70e8e7c95.exe	28
PID 2276 wrote to memory of 3028	2276	261bb636d6195f5582ab63a70e8e7c95.exe	28
PID 2276 wrote to memory of 3028	2276	261bb636d6195f5582ab63a70e8e7c95.exe	28
PID 2276 wrote to memory of 3028	2276	261bb636d6195f5582ab63a70e8e7c95.exe	28
PID 2276 wrote to memory of 3028	2276	261bb636d6195f5582ab63a70e8e7c95.exe	28
PID 2276 wrote to memory of 2304	2276	261bb636d6195f5582ab63a70e8e7c95.exe	29
PID 2276 wrote to memory of 2304	2276	261bb636d6195f5582ab63a70e8e7c95.exe	29
PID 2276 wrote to memory of 2304	2276	261bb636d6195f5582ab63a70e8e7c95.exe	29
PID 2276 wrote to memory of 2304	2276	261bb636d6195f5582ab63a70e8e7c95.exe	29
PID 2304 wrote to memory of 1252	2304	X	15
PID 3028 wrote to memory of 336	3028	explorer.exe	5
PID 336 wrote to memory of 1856	336	csrss.exe	30
PID 336 wrote to memory of 1856	336	csrss.exe	30
PID 336 wrote to memory of 520	336	csrss.exe	31
PID 336 wrote to memory of 520	336	csrss.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252
- C:\Users\Admin\AppData\Local\Temp\261bb636d6195f5582ab63a70e8e7c95.exe
  "C:\Users\Admin\AppData\Local\Temp\261bb636d6195f5582ab63a70e8e7c95.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\explorer.exe
    000000B8*
    3⤵
    - Deletes itself
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3028
- - C:\Users\Admin\AppData\Local\b72f5ba2\X
    193.105.154.210:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2304

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1856

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\b72f5ba2\@

Filesize
2KB

MD5
d3c736a85b1c194bc689d7e0dd0d2370

SHA1
4eba0e7ce8d0a753548aed6b3ec43bd0fb2336e6

SHA256
ba5e42760d39422d037a1770f4a0e03f39147240de31cdedfebd15b8aa794171

SHA512
d168b5e400c67957eba4c689eee41a13174efd1afd32af76d789ae47711f863b4fa7d9a5dd46405d3b253888fcc27232ddbd9d627a90e8bd1ee21def1bce1c83

Download Submit
C:\Users\Admin\AppData\Local\b72f5ba2\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
0143a441afe1ad40ffae57d6698dc2b0

SHA1
1d3a8479f6c587d4048a076548b6e7e3870d6506

SHA256
f4f275356c03ae2ec6a7f699fcdfe21c75c80eb7cfdbad4ee34d88de1a3ee21f

SHA512
e3dc76523ea06ee95c802b27184d847cbc4b3267809e863f7ff5594c78802e61515bd7c9b6a64d3fefedbd5fbfab3151c68d16b691e6defe1c7cb347ce5218a0

Download Submit
memory/336-41-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/336-40-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1252-26-0x0000000002950000-0x000000000295B000-memory.dmp

Filesize
44KB

Download
memory/1252-21-0x0000000002950000-0x000000000295B000-memory.dmp

Filesize
44KB

Download
memory/1252-27-0x0000000002960000-0x000000000296B000-memory.dmp

Filesize
44KB

Download
memory/1252-17-0x0000000002950000-0x000000000295B000-memory.dmp

Filesize
44KB

Download
memory/1252-42-0x0000000002960000-0x000000000296B000-memory.dmp

Filesize
44KB

Download
memory/2276-14-0x0000000000400000-0x0000000000449688-memory.dmp

Filesize
293KB

Download
memory/2276-5-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/2276-1-0x0000000000400000-0x0000000000449688-memory.dmp

Filesize
293KB

Download
memory/3028-4-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/3028-8-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download
memory/3028-35-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/3028-28-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads