8ecba4b9ab5f639c8a3df5ad0856c6b83c96d2c937f2bd2af4fc71907852ccab

General

Target

751ef59be3c954bc0af792f2d426138e.exe
Size

358KB
MD5

751ef59be3c954bc0af792f2d426138e
SHA1

a6631f30664a22c9dd5dd08cad96e3149c16adb3
SHA256

8ecba4b9ab5f639c8a3df5ad0856c6b83c96d2c937f2bd2af4fc71907852ccab
SHA512

2b21d28063717038f1ff424b1009841740316e50ee2a5fd7558ae300e84eac056b4a8c8b3fbcdf52bbb28b8a67cd8a5e2024c07a8affb201cb3c811ce14b86ca
SSDEEP

6144:/uMO+BlSNSvJA6yGjspnJJkwxNmm0PYct5xjg40WSXN5JKk3Sm9p5lTRDGrP02Zk:4WLvJeGwnXkdtlqWmf4kiObTlGbrk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\c1d0fc3f\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3032 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid process

340 csrss.exe
2940 X
Loads dropped DLL 2 IoCs

Processes:

751ef59be3c954bc0af792f2d426138e.exe

pid process

2360 751ef59be3c954bc0af792f2d426138e.exe
2360 751ef59be3c954bc0af792f2d426138e.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

751ef59be3c954bc0af792f2d426138e.exe

description pid process target process

PID 2360 set thread context of 3032 2360 751ef59be3c954bc0af792f2d426138e.exe cmd.exe

pid	process
3032	cmd.exe

pid	process
340	csrss.exe
2940	X

description	pid	process	target process
PID 2360 set thread context of 3032	2360	751ef59be3c954bc0af792f2d426138e.exe	cmd.exe

Modifies registry class 3 IoCs

Processes:

751ef59be3c954bc0af792f2d426138e.exe

description	ioc	process
Key created	\registry\machine\Software\Classes\Interface\{a873d410-6fd3-1b1c-08a3-ea6185436e1c}	751ef59be3c954bc0af792f2d426138e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a873d410-6fd3-1b1c-08a3-ea6185436e1c}\u = "28"	751ef59be3c954bc0af792f2d426138e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a873d410-6fd3-1b1c-08a3-ea6185436e1c}\cid = "7196394949772599857"	751ef59be3c954bc0af792f2d426138e.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

751ef59be3c954bc0af792f2d426138e.exeX

pid	process
2360	751ef59be3c954bc0af792f2d426138e.exe
2360	751ef59be3c954bc0af792f2d426138e.exe
2360	751ef59be3c954bc0af792f2d426138e.exe
2360	751ef59be3c954bc0af792f2d426138e.exe
2940	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

751ef59be3c954bc0af792f2d426138e.exe

description pid process

Token: SeDebugPrivilege 2360 751ef59be3c954bc0af792f2d426138e.exe
Token: SeDebugPrivilege 2360 751ef59be3c954bc0af792f2d426138e.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

340 csrss.exe

description	pid	process
Token: SeDebugPrivilege	2360	751ef59be3c954bc0af792f2d426138e.exe
Token: SeDebugPrivilege	2360	751ef59be3c954bc0af792f2d426138e.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
340	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

751ef59be3c954bc0af792f2d426138e.exeXcsrss.exe

description	pid	process	target process
PID 2360 wrote to memory of 1276	2360	751ef59be3c954bc0af792f2d426138e.exe	Explorer.EXE
PID 2360 wrote to memory of 340	2360	751ef59be3c954bc0af792f2d426138e.exe	csrss.exe
PID 2360 wrote to memory of 2940	2360	751ef59be3c954bc0af792f2d426138e.exe	X
PID 2360 wrote to memory of 2940	2360	751ef59be3c954bc0af792f2d426138e.exe	X
PID 2360 wrote to memory of 2940	2360	751ef59be3c954bc0af792f2d426138e.exe	X
PID 2360 wrote to memory of 2940	2360	751ef59be3c954bc0af792f2d426138e.exe	X
PID 2940 wrote to memory of 1276	2940	X	Explorer.EXE
PID 2360 wrote to memory of 3032	2360	751ef59be3c954bc0af792f2d426138e.exe	cmd.exe
PID 2360 wrote to memory of 3032	2360	751ef59be3c954bc0af792f2d426138e.exe	cmd.exe
PID 2360 wrote to memory of 3032	2360	751ef59be3c954bc0af792f2d426138e.exe	cmd.exe
PID 2360 wrote to memory of 3032	2360	751ef59be3c954bc0af792f2d426138e.exe	cmd.exe
PID 2360 wrote to memory of 3032	2360	751ef59be3c954bc0af792f2d426138e.exe	cmd.exe
PID 340 wrote to memory of 1632	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 1632	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 2696	340	csrss.exe	wmiprvse.exe
PID 340 wrote to memory of 2696	340	csrss.exe	wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\751ef59be3c954bc0af792f2d426138e.exe
"C:\Users\Admin\AppData\Local\Temp\751ef59be3c954bc0af792f2d426138e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\c1d0fc3f\X
176.53.17.23:80
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Deletes itself
PID:3032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1632

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\c1d0fc3f\@

Filesize
2KB

MD5
2321f7348f3e6fd0c31f269f6e6bee81

SHA1
eacd9ae5ab188753483c21b455d54344f4af36e6

SHA256
6e153b6c2f940b32f50ba7597e7602a5d33d244b584b2eed09bc5a8efa3f6867

SHA512
370afa5e18071080838485558d6c68f188b53aeae12873532c5ce4aefc5f1bec76c63b78bb9191ffb1638849a86bc49289caaa4d96e177225a29cb8a0cc1b79e

Download Submit
\Users\Admin\AppData\Local\c1d0fc3f\X

Filesize
41KB

MD5
f2e8308cff5808d84baa7bc3896c6602

SHA1
0a4ea175113bfe3904db040ce887ef79b6e0b9e9

SHA256
46de5cc298cacddbf41b01c6c4a734427d281796c3e8b9709f46f0eeae8fec3b

SHA512
2c6e8aecdb8270ed984367c2659e524b26e254ba9879363d5cfbf671a6f2fbdc68a5ec191f3461505fca76412e3cf8b160a0e53cf379881a83dd21eecbce831c

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
2718f2d89cab642e96ebad313b64f478

SHA1
94b8e9d95786d2e03bfe61df5705f0bfb8b77f19

SHA256
765090821b30dbca4bdf96de0ffeeeb8821013a643f9405285ef7acdb44fab58

SHA512
e25172284c1e5206568310b7a4bb0c62445a56bc5bcaae65dd39ed86456df03faa20e1a883d0df60c9253b250ff7e8d11e7bb05f89dca69ba7c5b261f35a70f6

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
298e22b34b2b05e0b1ee7bbb21031ece

SHA1
1dd45bbb696571086b2ff99829dfb04260c32cf7

SHA256
1c42fd20e7efffab5a80ca8c455639173eb21385191dfc4fd9759ee25bc49e25

SHA512
7dd8fd09f19f6cf686fee5596ed68a365cf4388110481d68bd8a1effef15e4675b37541996f8ab4449744148c0973b15708af2e7d43450bcc59c46c953fad95a

Download Submit
memory/340-29-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/340-27-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/340-30-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/1276-56-0x00000000025F0000-0x00000000025FB000-memory.dmp

Filesize
44KB

Download
memory/1276-53-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/1276-12-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1276-23-0x00000000025C0000-0x00000000025C2000-memory.dmp

Filesize
8KB

Download
memory/1276-61-0x00000000025F0000-0x00000000025FB000-memory.dmp

Filesize
44KB

Download
memory/1276-48-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/1276-16-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1276-54-0x00000000025F0000-0x00000000025FB000-memory.dmp

Filesize
44KB

Download
memory/1276-49-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/1276-44-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/1276-20-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/2360-22-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download
memory/2360-2-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2360-33-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2360-32-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2360-31-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/2360-21-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2360-35-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/2360-1-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/2360-34-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download
memory/2360-3-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2360-57-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/2360-59-0x0000000000400000-0x00000000004639AC-memory.dmp

Filesize
398KB

Download
memory/2360-60-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2360-6-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2360-9-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads