e04f83a60e6849f62e49e79aecd3644e5f7257a7e5e47c765cca0c9b287b369c

Analysis

max time kernel
54s
max time network
52s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/01/2024, 14:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sessionsploit.exe
Size

208KB
MD5

ab076c40c794f6fae556eb095d14cfa8
SHA1

4943f12b5549a40d069e97d00420b3d0aab200bf
SHA256

e04f83a60e6849f62e49e79aecd3644e5f7257a7e5e47c765cca0c9b287b369c
SHA512

8e509f9b4c893f243d937b8dc2b69d7bc491936abf1ba7e25009e4120b5f5a55a9092acfb7fa4c968cc40c9b8e97c3d464d251ef85a720585f8c18d401b82cf5
SSDEEP

1536:AH6UMZGECgfV3X1mq1dF/1bJbsIeZueZ8hck+4dAO2VfbNjIal1ukBhpTJAAr:AH6USn1tnbsI+cnl2fZd+s

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
4976	tmp2C89.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe
4856	sessionsploit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4856	sessionsploit.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3480	Process not Found
1392	Process not Found
4140	Process not Found
1164	Process not Found
1160	Process not Found
3976	Process not Found
1048	Process not Found
2480	Process not Found
1128	Process not Found
1108	Process not Found
4964	Process not Found
4528	Process not Found
3680	Process not Found
3308	Process not Found
3676	Process not Found
2696	Process not Found
1364	Process not Found
4292	Process not Found
1608	Process not Found
3212	Process not Found
2344	Process not Found
3188	Process not Found
2248	Process not Found
1944	Process not Found
2256	Process not Found
2000	Process not Found
4636	Process not Found
1352	Process not Found
4872	Process not Found
4572	Process not Found
1404	Process not Found
5056	Process not Found
4620	Process not Found
1824	Process not Found
3080	Process not Found
2348	Process not Found
4948	Process not Found
1124	Process not Found
3648	Process not Found
4692	Process not Found
916	Process not Found
4548	Process not Found
3356	Process not Found
4200	Process not Found
3064	Process not Found
2516	Process not Found
4412	Process not Found
4268	Process not Found
3988	Process not Found
5012	Process not Found
504	Process not Found
2988	Process not Found
4464	Process not Found
3860	Process not Found
2368	Process not Found
5072	Process not Found
756	Process not Found
776	Process not Found
4608	Process not Found
4648	Process not Found
4132	Process not Found
4168	Process not Found
2432	Process not Found
2108	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	sessionsploit.exe
Token: SeDebugPrivilege	4856	sessionsploit.exe
Token: SeDebugPrivilege	4856	sessionsploit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
700	LogonUI.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 196	4856	sessionsploit.exe	74
PID 4856 wrote to memory of 196	4856	sessionsploit.exe	74
PID 196 wrote to memory of 4552	196	cmd.exe	76
PID 196 wrote to memory of 4552	196	cmd.exe	76
PID 196 wrote to memory of 3360	196	cmd.exe	77
PID 196 wrote to memory of 3360	196	cmd.exe	77
PID 4552 wrote to memory of 3200	4552	net.exe	78
PID 4552 wrote to memory of 3200	4552	net.exe	78
PID 4856 wrote to memory of 5088	4856	sessionsploit.exe	79
PID 4856 wrote to memory of 5088	4856	sessionsploit.exe	79
PID 5088 wrote to memory of 4164	5088	cmd.exe	81
PID 5088 wrote to memory of 4164	5088	cmd.exe	81
PID 4164 wrote to memory of 708	4164	net.exe	82
PID 4164 wrote to memory of 708	4164	net.exe	82
PID 4856 wrote to memory of 1776	4856	sessionsploit.exe	83
PID 4856 wrote to memory of 1776	4856	sessionsploit.exe	83
PID 1776 wrote to memory of 420	1776	cmd.exe	85
PID 1776 wrote to memory of 420	1776	cmd.exe	85
PID 1776 wrote to memory of 1688	1776	cmd.exe	86
PID 1776 wrote to memory of 1688	1776	cmd.exe	86
PID 1776 wrote to memory of 3136	1776	cmd.exe	91
PID 1776 wrote to memory of 3136	1776	cmd.exe	91
PID 1776 wrote to memory of 1940	1776	cmd.exe	90
PID 1776 wrote to memory of 1940	1776	cmd.exe	90
PID 1776 wrote to memory of 2292	1776	cmd.exe	89
PID 1776 wrote to memory of 2292	1776	cmd.exe	89
PID 1776 wrote to memory of 4996	1776	cmd.exe	88
PID 1776 wrote to memory of 4996	1776	cmd.exe	88
PID 420 wrote to memory of 1832	420	net.exe	87
PID 420 wrote to memory of 1832	420	net.exe	87
PID 1776 wrote to memory of 3004	1776	cmd.exe	92
PID 1776 wrote to memory of 3004	1776	cmd.exe	92
PID 4856 wrote to memory of 4976	4856	sessionsploit.exe	93
PID 4856 wrote to memory of 4976	4856	sessionsploit.exe	93

C:\Users\Admin\AppData\Local\Temp\sessionsploit.exe
"C:\Users\Admin\AppData\Local\Temp\sessionsploit.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net localgroup "Administrators" | find "Admin"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:196
- - C:\Windows\system32\net.exe
    net localgroup "Administrators"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administrators"
      4⤵
      PID:3200
- - C:\Windows\system32\find.exe
    find "Admin"
    3⤵
    PID:3360
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net user Admin moi
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\net.exe
    net user Admin moi
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin moi
      4⤵
      PID:708
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net user Admin | findstr /v "The command completed successfully" | findstr /v "Logon script" | findstr /v "Home directory" | findstr /v "Comment" | findstr /v "group membership" | findstr /v "Group Memberships"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\net.exe
    net user Admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin
      4⤵
      PID:1832
- - C:\Windows\system32\findstr.exe
    findstr /v "The command completed successfully"
    3⤵
    PID:1688
- - C:\Windows\system32\findstr.exe
    findstr /v "group membership"
    3⤵
    PID:4996
- - C:\Windows\system32\findstr.exe
    findstr /v "Comment"
    3⤵
    PID:2292
- - C:\Windows\system32\findstr.exe
    findstr /v "Home directory"
    3⤵
    PID:1940
- - C:\Windows\system32\findstr.exe
    findstr /v "Logon script"
    3⤵
    PID:3136
- - C:\Windows\system32\findstr.exe
    findstr /v "Group Memberships"
    3⤵
    PID:3004
- C:\Users\Admin\AppData\Local\Temp\tmp2C89.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp2C89.tmp" 1
  2⤵
  - Executes dropped EXE
  PID:4976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af1855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2C89.tmp

Filesize
23KB

MD5
ddb4f5dc12ec364dd325a2c63ab5f0de

SHA1
cf3c725036a7442de1d94f9aa70cfd524da258da

SHA256
4b5df4ce25bcd9cf635cded7333f5f53d23f57b2adaca1ddf987c4b717f7ffb4

SHA512
c526b3dbf8dd03f03e0c2453f5e95ed0e9f5a54c00445d21234fbfbffb24d8d4c864d2d45bbe4cc9cc55585586ab13978579a4f2482a86ac5e0c516c6e722a04

Download Submit
memory/4856-0-0x000001AC26100000-0x000001AC26138000-memory.dmp

Filesize
224KB

Download
memory/4856-1-0x00007FFCD50B0000-0x00007FFCD5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-2-0x000001AC264D0000-0x000001AC264E0000-memory.dmp

Filesize
64KB

Download
memory/4856-3-0x000001AC264D0000-0x000001AC264E0000-memory.dmp

Filesize
64KB

Download
memory/4856-4-0x000001AC264D0000-0x000001AC264E0000-memory.dmp

Filesize
64KB

Download
memory/4856-5-0x00007FFCD50B0000-0x00007FFCD5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-6-0x000001AC264D0000-0x000001AC264E0000-memory.dmp

Filesize
64KB

Download
memory/4856-7-0x000001AC264D0000-0x000001AC264E0000-memory.dmp

Filesize
64KB

Download
memory/4856-8-0x000001AC264D0000-0x000001AC264E0000-memory.dmp

Filesize
64KB

Download
memory/4856-13-0x00007FFCD50B0000-0x00007FFCD5A9C000-memory.dmp

Filesize
9.9MB

Download