Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 16:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8751033a7635d5292ee6acf6b7ce070b.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
8751033a7635d5292ee6acf6b7ce070b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8751033a7635d5292ee6acf6b7ce070b.exe
-
Size
255KB
-
MD5
8751033a7635d5292ee6acf6b7ce070b
-
SHA1
043e6703de1bb3b80da086c3170a3a32ff0daa75
-
SHA256
187af94549eb0421867470da250a14ad73e30252b91352a9a152fd55f2559eb9
-
SHA512
1e01f144893dbcd157fbc560a9faa054c947b77667b7ad761888035a3930c24e4eaf84a1de18f1d5808d25ea97a32aa80cd0a0147c6d83774cdad876c3430188
-
SSDEEP
6144:nNU2+2kcTBWUZxjCld3hRV2QsXSAaj4ijpFaQTQisa:nNRdpgdRRoTCD4ijpoix
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\875103~1.EXE," 8751033a7635d5292ee6acf6b7ce070b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\875103~1.EXE" 8751033a7635d5292ee6acf6b7ce070b.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b8fc5221 = "\x1fJB*Ï‚s³Ss%#ÉÜ®E™”ÐÑ«Èòx‹\\>Θè\v\fÜ|É'$†\u0081‹ì¾ÆhƒEzš\x0eéÜÚ©á\u00a0’JèžAd\t¼ž|sÄÝ®ÿB0§Ï\núl®$qNOñ>ÚÊÇ\u0090®8Ñ)Añ˜z·\x17\x1c´\b@\x7f¡òž<_t\x7f\x11|ùq\x0e*Áz§„:Q!—T¢ºÀâ\x1f\x1f©÷\x11Œ\x11ˆ8F¤áI/¿vx¶¯ÄÇ©Ì_\a—T¨d17¡B¡ò\x1c\u0081âQ" 8751033a7635d5292ee6acf6b7ce070b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\875103~1.EXE" 8751033a7635d5292ee6acf6b7ce070b.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe 3108 8751033a7635d5292ee6acf6b7ce070b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 3108 8751033a7635d5292ee6acf6b7ce070b.exe Token: SeSecurityPrivilege 3108 8751033a7635d5292ee6acf6b7ce070b.exe Token: SeSecurityPrivilege 3108 8751033a7635d5292ee6acf6b7ce070b.exe Token: SeSecurityPrivilege 3108 8751033a7635d5292ee6acf6b7ce070b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8751033a7635d5292ee6acf6b7ce070b.exe"C:\Users\Admin\AppData\Local\Temp\8751033a7635d5292ee6acf6b7ce070b.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108