279a90f79f05c36134a542ba4297df3799fc4869818828d1768d47a34b53deef

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e49407f818f9f343010ec948ceb32c3.exe
Size

52KB
MD5

8e49407f818f9f343010ec948ceb32c3
SHA1

9bd466b756cf4454437f5cdde4443dd3a8222017
SHA256

279a90f79f05c36134a542ba4297df3799fc4869818828d1768d47a34b53deef
SHA512

9fe5b174e1b384a989037212f7e7041ff9154eb0a06ec3b17907abdd25bcc6bf6af69395104d0ce693c1016cbcea588042fa661209a6d5f5ed47a2e3d3190923
SSDEEP

768:2iln/zREBzqhn4AiWUzrfbispgN3crB58Zez57tpydMUq:h1EB65fUzrjiFM15eW7KdMz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:svchost.exe"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2604	svchost.exe
2748	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2092	cmd.exe
2092	cmd.exe
2604	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 2604 set thread context of 2748	2604	svchost.exe	34

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
776	8e49407f818f9f343010ec948ceb32c3.exe
2604	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 776 wrote to memory of 1752	776	8e49407f818f9f343010ec948ceb32c3.exe	28
PID 1752 wrote to memory of 2412	1752	8e49407f818f9f343010ec948ceb32c3.exe	29
PID 1752 wrote to memory of 2412	1752	8e49407f818f9f343010ec948ceb32c3.exe	29
PID 1752 wrote to memory of 2412	1752	8e49407f818f9f343010ec948ceb32c3.exe	29
PID 1752 wrote to memory of 2412	1752	8e49407f818f9f343010ec948ceb32c3.exe	29
PID 1752 wrote to memory of 2092	1752	8e49407f818f9f343010ec948ceb32c3.exe	31
PID 1752 wrote to memory of 2092	1752	8e49407f818f9f343010ec948ceb32c3.exe	31
PID 1752 wrote to memory of 2092	1752	8e49407f818f9f343010ec948ceb32c3.exe	31
PID 1752 wrote to memory of 2092	1752	8e49407f818f9f343010ec948ceb32c3.exe	31
PID 2092 wrote to memory of 2604	2092	cmd.exe	33
PID 2092 wrote to memory of 2604	2092	cmd.exe	33
PID 2092 wrote to memory of 2604	2092	cmd.exe	33
PID 2092 wrote to memory of 2604	2092	cmd.exe	33
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34
PID 2604 wrote to memory of 2748	2604	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\8e49407f818f9f343010ec948ceb32c3.exe
"C:\Users\Admin\AppData\Local\Temp\8e49407f818f9f343010ec948ceb32c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\8e49407f818f9f343010ec948ceb32c3.exe
  C:\Users\Admin\AppData\Local\Temp\8e49407f818f9f343010ec948ceb32c3.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\8e49407f818f9f343010ec948ceb32c3.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
52KB

MD5
8e49407f818f9f343010ec948ceb32c3

SHA1
9bd466b756cf4454437f5cdde4443dd3a8222017

SHA256
279a90f79f05c36134a542ba4297df3799fc4869818828d1768d47a34b53deef

SHA512
9fe5b174e1b384a989037212f7e7041ff9154eb0a06ec3b17907abdd25bcc6bf6af69395104d0ce693c1016cbcea588042fa661209a6d5f5ed47a2e3d3190923

Download Submit
memory/1752-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads