0ace1841939b63f43f033ab096b61846f373b359d9c927096752d88c437bcbb6

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_15b406601992e80b9f5a22448a7df1f2.exe
Size

58KB
MD5

15b406601992e80b9f5a22448a7df1f2
SHA1

5213baac74fd04cdd846efb1656cd70a423d130d
SHA256

0ace1841939b63f43f033ab096b61846f373b359d9c927096752d88c437bcbb6
SHA512

10ad5e8047a459569d0ac3baeb3db414a6459a0222b65e4bbb39c45eba01fa59679f5d2fc785eafd53a35f5d01f7261d8bbd4f5ecd019b1401ad69d260279b85
SSDEEP

1536:p3kwY3zkrGpVKMZKpJFyO6tXp3EoIDQ4KSk:p32JK0SFb6tXW7CS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\cache.dat"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1340	VirusShare_15b406601992e80b9f5a22448a7df1f2.exe
2580	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1340	VirusShare_15b406601992e80b9f5a22448a7df1f2.exe
1340	VirusShare_15b406601992e80b9f5a22448a7df1f2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	svchost.exe
2580	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1348	2580	svchost.exe	31
PID 2580 wrote to memory of 1348	2580	svchost.exe	31
PID 2580 wrote to memory of 1348	2580	svchost.exe	31
PID 2580 wrote to memory of 1348	2580	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\VirusShare_15b406601992e80b9f5a22448a7df1f2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_15b406601992e80b9f5a22448a7df1f2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: MapViewOfSection
PID:1340

C:\Windows\syswow64\svchost.exe
"C:\Windows\syswow64\svchost.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-7-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/1244-8-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/1340-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1340-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1340-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1340-3-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/1340-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1340-6-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/2580-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-22-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2580-9-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2580-12-0x0000000077A50000-0x0000000077A51000-memory.dmp

Filesize
4KB

Download
memory/2580-16-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2580-18-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2580-20-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2580-13-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/2580-21-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2580-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2580-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2580-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2580-24-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2580-27-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2580-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download