917194aba115713f144d469cdcb71ffe4363df2bb0cda260c048d185a91619ec

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490b7416a9b567976819b39ade1ed32f.exe
Size

84KB
MD5

490b7416a9b567976819b39ade1ed32f
SHA1

154b6f33f12fcd74c54e3a3778ff1ad0bd5046d0
SHA256

917194aba115713f144d469cdcb71ffe4363df2bb0cda260c048d185a91619ec
SHA512

47a40830185f6a4af3d5bdfa65fd5f2becd498994a331785aac1c5e4f02cbcf491286f14c0713ad8c8a96078da3369cf36c5f67365d943484c240911fd7f80b1
SSDEEP

1536:UI2gT9JsQ6ZsM01g5iSwRJWEyq4DSruYtM4sOgCRloJR/0JoNlYsY1NHTZ5:ZRD9e1inWE/4D+XllZJWlYLNzZ

Score

6^/10

persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdnez.exe"	490b7416a9b567976819b39ade1ed32f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdnez.exe	490b7416a9b567976819b39ade1ed32f.exe
File opened for modification	C:\Windows\SysWOW64\kdnez.exe	490b7416a9b567976819b39ade1ed32f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	4668	WerFault.exe	14

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe
4668	490b7416a9b567976819b39ade1ed32f.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSecurityPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeTakeOwnershipPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeLoadDriverPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSystemProfilePrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSystemtimePrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeProfSingleProcessPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeIncBasePriorityPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeCreatePagefilePrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeBackupPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeRestorePrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeShutdownPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeDebugPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeSystemEnvironmentPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeChangeNotifyPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeRemoteShutdownPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeUndockPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeManageVolumePrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeImpersonatePrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: SeCreateGlobalPrivilege	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: 33	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: 34	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: 35	4668	490b7416a9b567976819b39ade1ed32f.exe
Token: 36	4668	490b7416a9b567976819b39ade1ed32f.exe

C:\Users\Admin\AppData\Local\Temp\490b7416a9b567976819b39ade1ed32f.exe
"C:\Users\Admin\AppData\Local\Temp\490b7416a9b567976819b39ade1ed32f.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1120
  2⤵
  - Program crash
  PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4668-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4668-1-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/4668-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download