3d48126c37845f90ea4b721441a455f42721f7f95d89314231e6cc157c0b5594

General

Target

4d82b339090969beb92592c9559ca8f2.exe
Size

526KB
MD5

4d82b339090969beb92592c9559ca8f2
SHA1

aac6009791e0439cfe94749d2fb9fe962c8eac14
SHA256

3d48126c37845f90ea4b721441a455f42721f7f95d89314231e6cc157c0b5594
SHA512

d095813b09f045e9b8e3961bdf4256d918bf5fbb0357ec5ee98aa81b21ed381e74ce8af8782b73599424401e6927f49bd5a6bf2988abb620385d20dce5223799
SSDEEP

12288:fT56KM9fKAuxVTGAF3Z4mxxx9e8vcAezIML63HA:bUt9fK/xVdQmXTe8EAezIMWQ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Kvmon.exe -ini"	4.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	4.exe

Loads dropped DLL 2 IoCs

pid	Process
836	4d82b339090969beb92592c9559ca8f2.exe
836	4d82b339090969beb92592c9559ca8f2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d82b339090969beb92592c9559ca8f2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Kvmon.exe	4.exe
File opened for modification	C:\Windows\Kvmon.exe	4.exe
File created	C:\Windows\Kvmon.dll	4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	4.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2940	836	4d82b339090969beb92592c9559ca8f2.exe	28
PID 836 wrote to memory of 2940	836	4d82b339090969beb92592c9559ca8f2.exe	28
PID 836 wrote to memory of 2940	836	4d82b339090969beb92592c9559ca8f2.exe	28
PID 836 wrote to memory of 2940	836	4d82b339090969beb92592c9559ca8f2.exe	28
PID 2940 wrote to memory of 2608	2940	4.exe	29
PID 2940 wrote to memory of 2608	2940	4.exe	29
PID 2940 wrote to memory of 2608	2940	4.exe	29
PID 2940 wrote to memory of 2608	2940	4.exe	29
PID 2940 wrote to memory of 2608	2940	4.exe	29
PID 2940 wrote to memory of 2668	2940	4.exe	30
PID 2940 wrote to memory of 2668	2940	4.exe	30
PID 2940 wrote to memory of 2668	2940	4.exe	30
PID 2940 wrote to memory of 2668	2940	4.exe	30

C:\Users\Admin\AppData\Local\Temp\4d82b339090969beb92592c9559ca8f2.exe
"C:\Users\Admin\AppData\Local\Temp\4d82b339090969beb92592c9559ca8f2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    about:blank
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
    3⤵
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
164KB

MD5
7d521688bb974e05380fe7e958c802b8

SHA1
185a22598b9dd9235fbc643e38dc2ae3ce24a667

SHA256
7886ef873c46103b6ede07699fd3a20c4b2b9fa4b10fdc6f6f5755c7d293f918

SHA512
9cba65ef90dd5a2510041f208914d0df70affa56bbaa55de2791645efa151c42eff1a0ea6efd16b1ad82556e248933f82e53ba8cb20c2732f879e93d78d89fa9

Download Submit
memory/836-12-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/836-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/836-25-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/836-22-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/836-11-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/836-20-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/836-19-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/836-18-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/836-17-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/836-16-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/836-15-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/836-14-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/836-26-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/836-13-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/836-21-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/836-10-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/836-9-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/836-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/836-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/836-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/836-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/836-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/836-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/836-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/836-0-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/836-38-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/836-39-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2940-37-0x0000000000400000-0x0000000000491020-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads