08ef1a2643f2d97ea39aa628a6a56a1109db245ae5c795278b4529d9e2f4a4c7

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b2e2c622aed1aaccb8f17d500b7321.exe
Size

2.6MB
MD5

49b2e2c622aed1aaccb8f17d500b7321
SHA1

a73b715a6ce39a6983c29765de0eef9156899ed3
SHA256

08ef1a2643f2d97ea39aa628a6a56a1109db245ae5c795278b4529d9e2f4a4c7
SHA512

0da166b392bcfe55c700a123414b03d706f5eb3c585e905f7db32b0db004f189c517f11ed343428ac92a9559538f05a2fb802fe5c0e210a8d233719c154c0328
SSDEEP

49152:9cUUQTLnKiVql9Bs8dKj+LFh2Hs7VcsxL2QlAQjLGi/9JNIzg6:mwHs9s8lLFxfCQ2QjLH9uJ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\xKsLHgjFBHJwJAJa\\664DlHQcJscC.exe\",explorer.exe"	49b2e2c622aed1aaccb8f17d500b7321.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	8bE1XT1hzqW5g1D3.exe

Loads dropped DLL 1 IoCs

pid	Process
1352	49b2e2c622aed1aaccb8f17d500b7321.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe
1352	49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	49b2e2c622aed1aaccb8f17d500b7321.exe
Token: 33	1352	49b2e2c622aed1aaccb8f17d500b7321.exe
Token: SeIncBasePriorityPrivilege	1352	49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2388	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	34
PID 1352 wrote to memory of 2388	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	34
PID 1352 wrote to memory of 2388	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	34
PID 1352 wrote to memory of 2388	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	34
PID 1352 wrote to memory of 2732	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	33
PID 1352 wrote to memory of 2732	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	33
PID 1352 wrote to memory of 2732	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	33
PID 1352 wrote to memory of 2732	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	33
PID 1352 wrote to memory of 2788	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	32
PID 1352 wrote to memory of 2788	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	32
PID 1352 wrote to memory of 2788	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	32
PID 1352 wrote to memory of 2788	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	32
PID 1352 wrote to memory of 2804	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	31
PID 1352 wrote to memory of 2804	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	31
PID 1352 wrote to memory of 2804	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	31
PID 1352 wrote to memory of 2804	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	31
PID 1352 wrote to memory of 2808	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	30
PID 1352 wrote to memory of 2808	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	30
PID 1352 wrote to memory of 2808	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	30
PID 1352 wrote to memory of 2808	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	30
PID 1352 wrote to memory of 2828	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	29
PID 1352 wrote to memory of 2828	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	29
PID 1352 wrote to memory of 2828	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	29
PID 1352 wrote to memory of 2828	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	29
PID 1352 wrote to memory of 2792	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	28
PID 1352 wrote to memory of 2792	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	28
PID 1352 wrote to memory of 2792	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	28
PID 1352 wrote to memory of 2792	1352	49b2e2c622aed1aaccb8f17d500b7321.exe	28

C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
  "C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
  "C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
  "C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
  2⤵
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
  "C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
  "C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
  2⤵
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
  "C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\8bE1XT1hzqW5g1D3.exe
  "C:\Users\Admin\AppData\Local\Temp\8bE1XT1hzqW5g1D3.exe"
  2⤵
  - Executes dropped EXE
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8bE1XT1hzqW5g1D3.exe

Filesize
5KB

MD5
1366bd01f669bdf3c5ba1c8aa74442db

SHA1
24189c709cedd43dcf9674f48c2681d0648e5ded

SHA256
35c6f0a096e8e543a288575c0a7220e1cb7ae1b29ec9ff2cd38daef1517aff9c

SHA512
a8b098733809eaad46178f78c9d52ed761cac8613914a80c824d628821f82bbb5c052ddc2a7ae0ec86f4c501dde831ce17478ce1097f4522aa6165e98af8dec4

Download Submit
\Users\Admin\AppData\Local\Temp\8bE1XT1hzqW5g1D3.exe

Filesize
96KB

MD5
c2e88ab5859165538d4f1bef3b895aa3

SHA1
a42b200746095f71f7be468696b328662e7ef57f

SHA256
58e2575f5533e2953fca498f72247a8b394d7b0faab7bd5ebf1e63e7b475585b

SHA512
57ee64f3e091e3d27c10939c62fa0bde161c3199ac014ae42383a4b7dfba683f527fec19c39475108545ef780bd5ac19f9c5483855324f754c34cb3337a9d7aa

Download Submit
memory/1352-0-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-2-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1352-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-10-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download