9067410066b12182f3febd3022466b59a489174114619e9017d839be95b2e5a4

General

Target

8f08d1078af1933864eeb72304d91263.exe
Size

94KB
MD5

8f08d1078af1933864eeb72304d91263
SHA1

9f6b8afe4c5827c7efee94d0fb871306b5c42043
SHA256

9067410066b12182f3febd3022466b59a489174114619e9017d839be95b2e5a4
SHA512

90597ddbffc10819361309c7e0734ff301befc6cdab099b97d3c326564e2c277b94339a69ee43d40e8fe980930fb1a1da102f1b64d1b58de978557ae435cb12c
SSDEEP

1536:emYSU2LKIYK/dRd+TU3nKxk55dKVD2ORUEJJ1+uCBeQF720uWooikpbW77HPtnZ:em62LK3Wh+1swvPAu4T+XDkpbW/HVZ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Program Files\\Windows Media Player\\svchost.exe,"	8f08d1078af1933864eeb72304d91263.exe

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2680	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PDLL.dll	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\svchost.exe	8f08d1078af1933864eeb72304d91263.exe
File opened for modification	C:\Program Files\Windows Media Player\svchost.exe	8f08d1078af1933864eeb72304d91263.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2208	8f08d1078af1933864eeb72304d91263.exe
2680	svchost.exe
2680	svchost.exe
2680	svchost.exe
2680	svchost.exe
2680	svchost.exe
2680	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2316	2208	8f08d1078af1933864eeb72304d91263.exe	28
PID 2208 wrote to memory of 2316	2208	8f08d1078af1933864eeb72304d91263.exe	28
PID 2208 wrote to memory of 2316	2208	8f08d1078af1933864eeb72304d91263.exe	28
PID 2208 wrote to memory of 2316	2208	8f08d1078af1933864eeb72304d91263.exe	28
PID 2208 wrote to memory of 2680	2208	8f08d1078af1933864eeb72304d91263.exe	30
PID 2208 wrote to memory of 2680	2208	8f08d1078af1933864eeb72304d91263.exe	30
PID 2208 wrote to memory of 2680	2208	8f08d1078af1933864eeb72304d91263.exe	30
PID 2208 wrote to memory of 2680	2208	8f08d1078af1933864eeb72304d91263.exe	30

C:\Users\Admin\AppData\Local\Temp\8f08d1078af1933864eeb72304d91263.exe
"C:\Users\Admin\AppData\Local\Temp\8f08d1078af1933864eeb72304d91263.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$c6587.tmp.bat
  2⤵
  - Deletes itself
  PID:2316
- C:\Program Files\Windows Media Player\svchost.exe
  "C:\Program Files\Windows Media Player\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\svchost.exe

Filesize
94KB

MD5
8f08d1078af1933864eeb72304d91263

SHA1
9f6b8afe4c5827c7efee94d0fb871306b5c42043

SHA256
9067410066b12182f3febd3022466b59a489174114619e9017d839be95b2e5a4

SHA512
90597ddbffc10819361309c7e0734ff301befc6cdab099b97d3c326564e2c277b94339a69ee43d40e8fe980930fb1a1da102f1b64d1b58de978557ae435cb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$c6587.tmp.bat

Filesize
233B

MD5
36df8431ec825e7bebf875759f01820d

SHA1
302b1e5f79012b02637a611ea3ec79832ddff9f5

SHA256
cf3f81cc88a46774a0c26eb860f0303ed76e99c2b1a948ea0ab69223482eb683

SHA512
31c87348d63a8f5f34ef2aff1ae75bb137fd6579c353597ea0daca058dcbf954cfa1328e91f765ab9fe09ce6c8ea1a67f63cc334716e220ba5fba1152cf58b39

Download Submit
\Windows\SysWOW64\PDLL.dll

Filesize
136KB

MD5
af25d6eed122acf9d42d40133692854b

SHA1
5b637ee91bde37ad3e5c62a48774411afd6d79d8

SHA256
34f3d2b0b9aa5c3bc4bbb13671ae2e66c0a62d579bc3aebc0940eda1b231fea2

SHA512
ec89ab1ef8b125774e4418cb64ac7d22585dfe8eafa53cee39a10c507b3599774c345804f0c6bb9a0e6fd42b5538ceca9c851d55070aeb3349f75fa81d505207

Download Submit
memory/2208-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-1-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2208-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-19-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/2208-26-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/2680-23-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2680-24-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/2680-27-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads