3f8f3a8fd4ee2f1a9c8874a9f3e90d9d5a05169f3fd7da9dc5311685d68d9f74

General

Target

29fa128fdb68c4dd258f88f907dc865a.exe
Size

64KB
MD5

29fa128fdb68c4dd258f88f907dc865a
SHA1

c1e130c2b973aba2a187ccd8e473829a0eddad8b
SHA256

3f8f3a8fd4ee2f1a9c8874a9f3e90d9d5a05169f3fd7da9dc5311685d68d9f74
SHA512

063045f6dc6bf5a4cf3099aa20215d44bb4d3895de73c0b07a56ce00423024422d4302615b33536c7d36cf61093622c622d6715e4dab60f03b1d0594c284df9c
SSDEEP

1536:HxTDTC+THDx7XNIXAKAGMYf7NoPFSlj2:RTDTXTjxz2XAUf7N

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winlogon.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	29fa128fdb68c4dd258f88f907dc865a.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	winlogon.exe

Deletes itself 1 IoCs

pid	Process
3216	winlogon.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	winlogon.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winlogon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\winlogon.exe	29fa128fdb68c4dd258f88f907dc865a.exe
File created	C:\Windows\system\winlogon.exe	29fa128fdb68c4dd258f88f907dc865a.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\29fa128fdb68c4dd258f88f907dc865a.exe
"C:\Users\Admin\AppData\Local\Temp\29fa128fdb68c4dd258f88f907dc865a.exe"
1⤵
- Looks for VMWare Tools registry key
- Drops file in Windows directory
PID:996

C:\Windows\system\winlogon.exe
"C:\Windows\system\winlogon.exe"
1⤵
- Modifies security service
- Windows security bypass
- Looks for VMWare Tools registry key
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Modifies data under HKEY_USERS
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-0-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/996-6-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-5-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-7-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-10-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-14-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-16-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-19-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads