e290a1fdcb83cc3a4d385eaed40ba5a4e713df002fef9f5d1446b1808770c140

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5884fac3fd83cb8f49032861e7b24bb6.exe
Size

80KB
MD5

5884fac3fd83cb8f49032861e7b24bb6
SHA1

33279856301e3c0afb5e19f8263f2d8ca6582251
SHA256

e290a1fdcb83cc3a4d385eaed40ba5a4e713df002fef9f5d1446b1808770c140
SHA512

87fc1cb23fc46510919bcf9392273b1527e79a0b36ea5543ba3f45cb3394b7db35a82d9fda3f231a1a8b1d310841e4f313d78edbca68ed4eac404a5610de13c0
SSDEEP

1536:LRAh8NBWeu2eOHhIzVi6q6ew7HwWn19M0/Frj3KhvQKAS1tafNK40Sfnw14RjYGX:LBDeWIY6q6ew7QW1n/Fr2hYx+taIIfK+

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Program Files\\Windows Media Player\\svchost.exe,"	1.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	1.exe
2748	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
1060	5884fac3fd83cb8f49032861e7b24bb6.exe
1060	5884fac3fd83cb8f49032861e7b24bb6.exe
1060	5884fac3fd83cb8f49032861e7b24bb6.exe
1060	5884fac3fd83cb8f49032861e7b24bb6.exe
2456	1.exe
2456	1.exe
2748	svchost.exe
2772	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PDLL.dll	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\svchost.exe	1.exe
File created	C:\Program Files\Windows Media Player\svchost.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	1060	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2456	1.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2456	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	28
PID 1060 wrote to memory of 2456	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	28
PID 1060 wrote to memory of 2456	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	28
PID 1060 wrote to memory of 2456	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	28
PID 1060 wrote to memory of 2772	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	29
PID 1060 wrote to memory of 2772	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	29
PID 1060 wrote to memory of 2772	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	29
PID 1060 wrote to memory of 2772	1060	5884fac3fd83cb8f49032861e7b24bb6.exe	29
PID 2456 wrote to memory of 1984	2456	1.exe	30
PID 2456 wrote to memory of 1984	2456	1.exe	30
PID 2456 wrote to memory of 1984	2456	1.exe	30
PID 2456 wrote to memory of 1984	2456	1.exe	30
PID 2456 wrote to memory of 2748	2456	1.exe	32
PID 2456 wrote to memory of 2748	2456	1.exe	32
PID 2456 wrote to memory of 2748	2456	1.exe	32
PID 2456 wrote to memory of 2748	2456	1.exe	32

C:\Users\Admin\AppData\Local\Temp\5884fac3fd83cb8f49032861e7b24bb6.exe
"C:\Users\Admin\AppData\Local\Temp\5884fac3fd83cb8f49032861e7b24bb6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$c5090.tmp.bat
    3⤵
    PID:1984
- - C:\Program Files\Windows Media Player\svchost.exe
    "C:\Program Files\Windows Media Player\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 544
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$c5090.tmp.bat

Filesize
171B

MD5
eaeba0d558a3fcdc4409a1726c14d541

SHA1
5bc0dcfb08b4b66cf9abe4c11f8d7b12070a942a

SHA256
5cf1ac665681c333c2b77a4faa3dc8e5426dd4c2053343d410d383d0a758d110

SHA512
17e4116004711db22fd88bb2a50e6ccfeeb626c8dc542e00e7c9450011da989cd79c03aac3123f4a1cb020c05a8f8e3a609ff8e31eb08d0dcd0b66ac7d46987d

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
169KB

MD5
e80d3e5c247330ea15762d770cc8f4bd

SHA1
1ee43e87834f967a9ec0f51be91ffdb209ebdb58

SHA256
d7ece885cd2c767725a54033f9f0ef9191dcc8a0eb6f5c8834f2f689cfa547cb

SHA512
2fad61448e1a08299ea4b54db10f0bf948f84a0d496453916500861b5f4300a775421f9cce5ad045baa48c0ffa0f666de43d0cc1d31f77535507b305bcebeeca

Download Submit
\Windows\SysWOW64\PDLL.dll

Filesize
135KB

MD5
574356fd9add9f8a10703bc8ffdf8d3b

SHA1
a45e56cf136c4389e259d34714f29cb38ebc2d14

SHA256
601fa862dfcfd8f8e3cd9845462b8133dffed51c73d57d12ca8ef3e2738f1b46

SHA512
f8e814420690e5b2a3d5b2d89dd7bd9684a01fc2bf5f3165ce17ff75ce17f9fed203ef4c634517ad1a199ee736d464b9d23ccaa9170760989063e64102717cde

Download Submit
memory/1060-1-0x0000000000400000-0x0000000000415A79-memory.dmp

Filesize
86KB

Download
memory/2456-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2748-35-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download
memory/2748-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2748-40-0x00000000003C0000-0x00000000003E7000-memory.dmp

Filesize
156KB

Download