74f0bf7e738527bb84df1bf3a1603cfb6f09c27e3c75dbd70462f137112df9cd

General

Target

767f07294d51123d79c4a3d10f850278.exe
Size

564KB
MD5

767f07294d51123d79c4a3d10f850278
SHA1

810cee42f525a0bc48387f29b18fb91d48697aa5
SHA256

74f0bf7e738527bb84df1bf3a1603cfb6f09c27e3c75dbd70462f137112df9cd
SHA512

9a886569238bdac1e87189d2348d5b5326bc7b9f91110aab13a441c971e0e340d318b49eb1a173a7cec27ca5a0f774c578f7406b82c897bd1fa2a3294b087512
SSDEEP

6144:fC5Rydo1Li9eSlcFELaa7TQwtutvrNGbFzppkSessTgFo8oh:f8yy5i9eS3LRHuhNGbFzppkSessTgFo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	767f07294d51123d79c4a3d10f850278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
532	netsh.exe

Deletes itself 1 IoCs

pid	Process
2296	spoolsv.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	767f07294d51123d79c4a3d10f850278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	767f07294d51123d79c4a3d10f850278.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4080	2404	WerFault.exe	59

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2404	767f07294d51123d79c4a3d10f850278.exe
2296	spoolsv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 532	2404	767f07294d51123d79c4a3d10f850278.exe	92
PID 2404 wrote to memory of 532	2404	767f07294d51123d79c4a3d10f850278.exe	92
PID 2404 wrote to memory of 532	2404	767f07294d51123d79c4a3d10f850278.exe	92
PID 2404 wrote to memory of 2296	2404	767f07294d51123d79c4a3d10f850278.exe	93
PID 2404 wrote to memory of 2296	2404	767f07294d51123d79c4a3d10f850278.exe	93
PID 2404 wrote to memory of 2296	2404	767f07294d51123d79c4a3d10f850278.exe	93

C:\Users\Admin\AppData\Local\Temp\767f07294d51123d79c4a3d10f850278.exe
"C:\Users\Admin\AppData\Local\Temp\767f07294d51123d79c4a3d10f850278.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\spoolsv.exe" CityScape Enable
  2⤵
  - Modifies Windows Firewall
  PID:532
- C:\Users\Admin\AppData\Roaming\spoolsv.exe
  /d C:\Users\Admin\AppData\Local\Temp\767f07294d51123d79c4a3d10f850278.exe
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 776
  2⤵
  - Program crash
  PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2404 -ip 2404
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\eJbhWlWU

Filesize
51KB

MD5
cb2b4610e66cf1cd2598b1d8bc443f03

SHA1
315563d817162ff1250d00867c26f6bb088935cc

SHA256
801179eec895373c621fb4c024c6e4ef6b309db881f2b279692579082499c1eb

SHA512
f264929fff786c05eb13517939eb55a4755da19b475b7855ca7e2edb6850c84543122260456cd60006ef42cd66c22b3930d9714e9acc1ea49422e788042f0baf

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
564KB

MD5
f871f257a7b262304a673d81328839cb

SHA1
1578a2cabd8f46f8e37afff227f9fc04aad948ab

SHA256
be3ff01baec08e5e31ef3d1c80f202d2fd4539409afa235afc743ada7776c52e

SHA512
e38259bf5efafefc8b4966746a07cdea1c904c8c0e6bc434f4b6dd01fbaf48e9f5647177fb3c80f2bd648dfaaa7e05c8acb63d77bb1e0ba7d0d2b7886b9779b2

Download Submit
memory/2296-24-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2296-25-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2296-27-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2296-30-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2296-33-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2296-36-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2404-0-0x00000000022E0000-0x000000000236F000-memory.dmp

Filesize
572KB

Download
memory/2404-1-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2404-21-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads