812ab2231039f79543bfde09ee2eeab98a7fccf5acacf5fcee1a25dd7cd9639d

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ec91c48b01ae1de71da600edb4e3879.exe
Size

48KB
MD5

7ec91c48b01ae1de71da600edb4e3879
SHA1

3e491e67d47cbef93fd84a8b91a94de1a57ef7e6
SHA256

812ab2231039f79543bfde09ee2eeab98a7fccf5acacf5fcee1a25dd7cd9639d
SHA512

f05d73e67bb919868e03da376063a458dfd4a6c703b5c6132cbbd0869a7b2259a7e114b67c7e01f41a1ad6f1e302353e956a5d567bd5ba6b837b18edee0d7563
SSDEEP

384:F/cLiYQy1jepLbkcamnDCZtMJwCDlZQQTI45:F//YQypepnnnGZtMW4lGqI

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SERVICES.EXE,C:\\Windows\\system32\\userinit.exe"	7ec91c48b01ae1de71da600edb4e3879.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\down.exe	7ec91c48b01ae1de71da600edb4e3879.exe
File opened for modification	C:\Windows\vinfo.txt	7ec91c48b01ae1de71da600edb4e3879.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe
4080	7ec91c48b01ae1de71da600edb4e3879.exe

C:\Users\Admin\AppData\Local\Temp\7ec91c48b01ae1de71da600edb4e3879.exe
"C:\Users\Admin\AppData\Local\Temp\7ec91c48b01ae1de71da600edb4e3879.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\vinfo.txt

Filesize
5B

MD5
47cd76e43f74bbc2e1baaf194d07e1fa

SHA1
91e95be6b6634e3c21072dfcd661146728694326

SHA256
92521fc3cbd964bdc9f584a991b89fddaa5754ed1cc96d6d42445338669c1305

SHA512
10910aab7de5e168e04fa5d8df2ecc66e4aab45e676bc4ac6f222787cd461cfa6efbe9fe81769747c1993c76c3e744600134778dd83df837cafa1e6689372f40

Download Submit
memory/4080-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download