4b3b6ac268bb911e728c171d71d9a7addb5af282dc8104a8f96ef9d008c54581

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 07:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ad8313a4fb9c59fc58fee923d7a32eb.exe
Size

44KB
MD5

4ad8313a4fb9c59fc58fee923d7a32eb
SHA1

48b7a1c94a8ca7350a553500ade3875c3c4bd17a
SHA256

4b3b6ac268bb911e728c171d71d9a7addb5af282dc8104a8f96ef9d008c54581
SHA512

f10dde827fca62a4607f52423fd925b6ddd66e3c9ef93f3605aa702387201ea14c4ac2c2dd793db451fb62db074cae4f212fa23ad8b325b4ca085a0ff0e635c1
SSDEEP

768:NRZh8q6+OalY5lSRUySEh9K5yqoTm5OTjMIXrpyNcu0SfuakOYT:NXh8qtk5lPWh9K5yqoTKOTkfQ9T

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe iexeplore.exe"	4ad8313a4fb9c59fc58fee923d7a32eb.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	iexeplore.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\iexeplore.exe	4ad8313a4fb9c59fc58fee923d7a32eb.exe
File created	C:\Windows\iexeplore.exe	4ad8313a4fb9c59fc58fee923d7a32eb.exe
File opened for modification	C:\Windows\iexeplore.exe	iexeplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2288	4ad8313a4fb9c59fc58fee923d7a32eb.exe
3068	iexeplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3068	2288	4ad8313a4fb9c59fc58fee923d7a32eb.exe	16
PID 2288 wrote to memory of 3068	2288	4ad8313a4fb9c59fc58fee923d7a32eb.exe	16
PID 2288 wrote to memory of 3068	2288	4ad8313a4fb9c59fc58fee923d7a32eb.exe	16
PID 2288 wrote to memory of 3068	2288	4ad8313a4fb9c59fc58fee923d7a32eb.exe	16

C:\Users\Admin\AppData\Local\Temp\4ad8313a4fb9c59fc58fee923d7a32eb.exe
"C:\Users\Admin\AppData\Local\Temp\4ad8313a4fb9c59fc58fee923d7a32eb.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\iexeplore.exe
  C:\Windows\iexeplore.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\iexeplore.exe

Filesize
44KB

MD5
4ad8313a4fb9c59fc58fee923d7a32eb

SHA1
48b7a1c94a8ca7350a553500ade3875c3c4bd17a

SHA256
4b3b6ac268bb911e728c171d71d9a7addb5af282dc8104a8f96ef9d008c54581

SHA512
f10dde827fca62a4607f52423fd925b6ddd66e3c9ef93f3605aa702387201ea14c4ac2c2dd793db451fb62db074cae4f212fa23ad8b325b4ca085a0ff0e635c1

Download Submit
C:\Windows\iexeplore.exe

Filesize
1KB

MD5
85d3ec5d9eac971351663e67eca06bbc

SHA1
73bed497078d2ddabed3b3a8b5866fc67df7d203

SHA256
6e9e587efa401334dec88bb0409230288f13f3baa13f14e3eac5f2f369bea1c6

SHA512
3cf073a655386dbd3c395050447d7fbb25d1fa54b181229feb3858415b95e35f703c2cf82baa1b37675c0963cbfe1fa40c8aa2f717c35698dca85f8d0b525a65

Download Submit
memory/2288-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads