c390e62943f6c3cd8a21a5aed7b9d8528b30cae4bad6a5ba26f817d9bbf68d5f

General

Target

280c3da5ea65c959067f8ab553037370.exe
Size

320KB
MD5

280c3da5ea65c959067f8ab553037370
SHA1

7941c2b2118fd30c2b8c65a1beab08d9331203c9
SHA256

c390e62943f6c3cd8a21a5aed7b9d8528b30cae4bad6a5ba26f817d9bbf68d5f
SHA512

628bf2984f38a82cda34f4b1afbe6f1a810201a29b9ce2e0f6a9daee31b7a86fa60dd114888d3c0f77cb10d5a539b2cc0b255c29abeb58a13613f4fdc0447041
SSDEEP

6144:ym/o/vvofih8jWlw7WtoPkvVOfzUE8uoglOs5WY94/JzZwLZ5rLLVIqxE+1qg:5o/UWIkNOfzUEQgFGJNmjKqxE+1

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\sbcvvhost_win86.exe"	280c3da5ea65c959067f8ab553037370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\sbcvvhost_win86.exe"	280c3da5ea65c959067f8ab553037370.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	280c3da5ea65c959067f8ab553037370.exe

Disables Task Manager via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ScJzIf0-kevt-RkjF-pr7R-UIAZ3ihJ5KXN}	280c3da5ea65c959067f8ab553037370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ScJzIf0-kevt-RkjF-pr7R-UIAZ3ihJ5KXN}\WBhXTAWuFpmNyON = "\"C:\\Users\\Admin\\AppData\\Roaming\\sbcvvhost_win86.exe\" /ActiveX"	280c3da5ea65c959067f8ab553037370.exe

Loads dropped DLL 2 IoCs

Processes:

280c3da5ea65c959067f8ab553037370.exe

pid process

4740 280c3da5ea65c959067f8ab553037370.exe
4740 280c3da5ea65c959067f8ab553037370.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4740-2-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/4740-4-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/4740-5-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/4740-6-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/4740-7-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/4740-23-0x0000000000400000-0x000000000049A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WBhXTAWuFpmNyON = "C:\\Users\\Admin\\AppData\\Roaming\\sbcvvhost_win86.exe"	280c3da5ea65c959067f8ab553037370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WBhXTAWuFpmNyON = "C:\\Users\\Admin\\AppData\\Roaming\\sbcvvhost_win86.exe"	280c3da5ea65c959067f8ab553037370.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	280c3da5ea65c959067f8ab553037370.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	280c3da5ea65c959067f8ab553037370.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

280c3da5ea65c959067f8ab553037370.exe

description pid process target process

PID 4612 set thread context of 4740 4612 280c3da5ea65c959067f8ab553037370.exe 280c3da5ea65c959067f8ab553037370.exe

description	pid	process	target process
PID 4612 set thread context of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

280c3da5ea65c959067f8ab553037370.exe

pid	process
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

280c3da5ea65c959067f8ab553037370.exe280c3da5ea65c959067f8ab553037370.exe

pid	process
4612	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe
4740	280c3da5ea65c959067f8ab553037370.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

280c3da5ea65c959067f8ab553037370.exe

description	pid	process	target process
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe
PID 4612 wrote to memory of 4740	4612	280c3da5ea65c959067f8ab553037370.exe	280c3da5ea65c959067f8ab553037370.exe

C:\Users\Admin\AppData\Local\Temp\280c3da5ea65c959067f8ab553037370.exe
"C:\Users\Admin\AppData\Local\Temp\280c3da5ea65c959067f8ab553037370.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\280c3da5ea65c959067f8ab553037370.exe
C:\Users\Admin\AppData\Local\Temp\280c3da5ea65c959067f8ab553037370.exe
2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwlGina3.dll
Filesize
93KB

MD5
1173123287198dce1eb831f04e28352c

SHA1
39d650f4297c990a7ffaa7dc3b6d0ef903c9bd14

SHA256
65d4582e135c774d9c827ae08de8b77f199ee934f13d1a0537df4f5d18f590ba

SHA512
e9fdb6e808b0f3ed850fb364d48609a9726fd41ad138594fc04f8d48d5672aec3aaa76af236f07c4263c053dc539f99009e74491adb03c885190dcce78f0cede

Download Submit
memory/4740-2-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4740-4-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4740-5-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4740-6-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4740-7-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4740-8-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4740-14-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/4740-23-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4740-24-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/4740-27-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads