d0057df0cd13877defd02490ec9b4558458533dec39fb4d34c7b5ab5a3b1a08f

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d7d90ca3d347671783fcc2cba3a7078.exe
Size

184KB
MD5

7d7d90ca3d347671783fcc2cba3a7078
SHA1

f3ccd008dcc6525dbf8b331212b1b68d4e1b6056
SHA256

d0057df0cd13877defd02490ec9b4558458533dec39fb4d34c7b5ab5a3b1a08f
SHA512

03fd3913375802884047a6cfbdbcc8e19842fc70d797c7b09f19734b00588db2237789937e568a9d5b4211db332598f347e40a93f52121a4a515e701f24bcac3
SSDEEP

3072:5bTkHUZ4AgcaEM8FrrOovKei+LhNnGGlCVRTkwIOSHNr8lr2bj6:dkHUZ4eJrOovKT+LhlGWITkF8lr2bj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe,"	7d7d90ca3d347671783fcc2cba3a7078.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sdra64.exe	7d7d90ca3d347671783fcc2cba3a7078.exe
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	7d7d90ca3d347671783fcc2cba3a7078.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2300	7d7d90ca3d347671783fcc2cba3a7078.exe
2300	7d7d90ca3d347671783fcc2cba3a7078.exe

C:\Users\Admin\AppData\Local\Temp\7d7d90ca3d347671783fcc2cba3a7078.exe
"C:\Users\Admin\AppData\Local\Temp\7d7d90ca3d347671783fcc2cba3a7078.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-0-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2300-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2300-3-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/2300-4-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download