e290a1fdcb83cc3a4d385eaed40ba5a4e713df002fef9f5d1446b1808770c140

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 09:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5884fac3fd83cb8f49032861e7b24bb6.exe
Size

80KB
MD5

5884fac3fd83cb8f49032861e7b24bb6
SHA1

33279856301e3c0afb5e19f8263f2d8ca6582251
SHA256

e290a1fdcb83cc3a4d385eaed40ba5a4e713df002fef9f5d1446b1808770c140
SHA512

87fc1cb23fc46510919bcf9392273b1527e79a0b36ea5543ba3f45cb3394b7db35a82d9fda3f231a1a8b1d310841e4f313d78edbca68ed4eac404a5610de13c0
SSDEEP

1536:LRAh8NBWeu2eOHhIzVi6q6ew7HwWn19M0/Frj3KhvQKAS1tafNK40Sfnw14RjYGX:LBDeWIY6q6ew7QW1n/Fr2hYx+taIIfK+

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = ",C:\\Program Files\\Windows Media Player\\svchost.exe,"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	5884fac3fd83cb8f49032861e7b24bb6.exe

Executes dropped EXE 2 IoCs

pid	Process
3184	1.exe
816	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
816	svchost.exe
816	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PDLL.dll	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\svchost.exe	1.exe
File opened for modification	C:\Program Files\Windows Media Player\svchost.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
744	4044	WerFault.exe	71

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
3184	1.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
816	svchost.exe
816	svchost.exe
816	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3184	4044	5884fac3fd83cb8f49032861e7b24bb6.exe	90
PID 4044 wrote to memory of 3184	4044	5884fac3fd83cb8f49032861e7b24bb6.exe	90
PID 4044 wrote to memory of 3184	4044	5884fac3fd83cb8f49032861e7b24bb6.exe	90
PID 3184 wrote to memory of 3120	3184	1.exe	98
PID 3184 wrote to memory of 3120	3184	1.exe	98
PID 3184 wrote to memory of 3120	3184	1.exe	98
PID 3184 wrote to memory of 816	3184	1.exe	100
PID 3184 wrote to memory of 816	3184	1.exe	100
PID 3184 wrote to memory of 816	3184	1.exe	100

C:\Users\Admin\AppData\Local\Temp\5884fac3fd83cb8f49032861e7b24bb6.exe
"C:\Users\Admin\AppData\Local\Temp\5884fac3fd83cb8f49032861e7b24bb6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$c53AE.tmp.bat
    3⤵
    PID:3120
- - C:\Program Files\Windows Media Player\svchost.exe
    "C:\Program Files\Windows Media Player\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 956
  2⤵
  - Program crash
  PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$c53AE.tmp.bat

Filesize
171B

MD5
b6a688f3f19ffbd9dcd0f52433b58a25

SHA1
eb12e7181a86232e96f61d4dc19f3e1abc8a8c59

SHA256
78101c18d203d12e7af599cb1eb7d19566bda898f976a51c1ed615e9d67cdfee

SHA512
05dd82e860c69a3e752eedea7abad47cffbc5f72f3b1e809c1e7d605645bf2a66c6f476ac70971bb60652019077564860c8c19747d03da16d67dc4b11499f2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
169KB

MD5
e80d3e5c247330ea15762d770cc8f4bd

SHA1
1ee43e87834f967a9ec0f51be91ffdb209ebdb58

SHA256
d7ece885cd2c767725a54033f9f0ef9191dcc8a0eb6f5c8834f2f689cfa547cb

SHA512
2fad61448e1a08299ea4b54db10f0bf948f84a0d496453916500861b5f4300a775421f9cce5ad045baa48c0ffa0f666de43d0cc1d31f77535507b305bcebeeca

Download Submit
C:\Windows\SysWOW64\PDLL.dll

Filesize
135KB

MD5
574356fd9add9f8a10703bc8ffdf8d3b

SHA1
a45e56cf136c4389e259d34714f29cb38ebc2d14

SHA256
601fa862dfcfd8f8e3cd9845462b8133dffed51c73d57d12ca8ef3e2738f1b46

SHA512
f8e814420690e5b2a3d5b2d89dd7bd9684a01fc2bf5f3165ce17ff75ce17f9fed203ef4c634517ad1a199ee736d464b9d23ccaa9170760989063e64102717cde

Download Submit
memory/816-21-0x00000000027E0000-0x0000000002807000-memory.dmp

Filesize
156KB

Download
memory/816-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/816-26-0x00000000027E0000-0x0000000002807000-memory.dmp

Filesize
156KB

Download
memory/3184-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4044-0-0x0000000000400000-0x0000000000415A79-memory.dmp

Filesize
86KB

Download
memory/4044-10-0x0000000000400000-0x0000000000415A79-memory.dmp

Filesize
86KB

Download