917194aba115713f144d469cdcb71ffe4363df2bb0cda260c048d185a91619ec

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490b7416a9b567976819b39ade1ed32f.exe
Size

84KB
MD5

490b7416a9b567976819b39ade1ed32f
SHA1

154b6f33f12fcd74c54e3a3778ff1ad0bd5046d0
SHA256

917194aba115713f144d469cdcb71ffe4363df2bb0cda260c048d185a91619ec
SHA512

47a40830185f6a4af3d5bdfa65fd5f2becd498994a331785aac1c5e4f02cbcf491286f14c0713ad8c8a96078da3369cf36c5f67365d943484c240911fd7f80b1
SSDEEP

1536:UI2gT9JsQ6ZsM01g5iSwRJWEyq4DSruYtM4sOgCRloJR/0JoNlYsY1NHTZ5:ZRD9e1inWE/4D+XllZJWlYLNzZ

Score

6^/10

persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdjcf.exe"	490b7416a9b567976819b39ade1ed32f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdjcf.exe	490b7416a9b567976819b39ade1ed32f.exe
File opened for modification	C:\Windows\SysWOW64\kdjcf.exe	490b7416a9b567976819b39ade1ed32f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2356	2116	WerFault.exe	1

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe
2116	490b7416a9b567976819b39ade1ed32f.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSecurityPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeTakeOwnershipPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeLoadDriverPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSystemProfilePrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSystemtimePrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeProfSingleProcessPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeIncBasePriorityPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeCreatePagefilePrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeBackupPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeRestorePrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeShutdownPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeDebugPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSystemEnvironmentPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeChangeNotifyPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeRemoteShutdownPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeUndockPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeManageVolumePrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeImpersonatePrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: SeCreateGlobalPrivilege	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: 33	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: 34	2116	490b7416a9b567976819b39ade1ed32f.exe
Token: 35	2116	490b7416a9b567976819b39ade1ed32f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2356	2116	490b7416a9b567976819b39ade1ed32f.exe	16
PID 2116 wrote to memory of 2356	2116	490b7416a9b567976819b39ade1ed32f.exe	16
PID 2116 wrote to memory of 2356	2116	490b7416a9b567976819b39ade1ed32f.exe	16
PID 2116 wrote to memory of 2356	2116	490b7416a9b567976819b39ade1ed32f.exe	16

C:\Users\Admin\AppData\Local\Temp\490b7416a9b567976819b39ade1ed32f.exe
"C:\Users\Admin\AppData\Local\Temp\490b7416a9b567976819b39ade1ed32f.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 476
  2⤵
  - Program crash
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-1-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2116-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download