28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

General

Target

9cba67b5a3086744c0d4f831079b319b.exe
Size

5.1MB
MD5

9cba67b5a3086744c0d4f831079b319b
SHA1

9db9ea7ad37fb54ada8486ce1bb5a4dab489186e
SHA256

28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486
SHA512

57cdd4cc35e8148cfed304cce7af9d43df50acc5fe2ec3a85c72723ba18e6153f16031ced478273292dabd95005da4a145656285e932d85569333f9dc740b649
SSDEEP

98304:NVJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jCP:7pOwu2t26uqRsnf2VXvD6jC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

9cba67b5a3086744c0d4f831079b319b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\","	9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

9cba67b5a3086744c0d4f831079b319b.exepowershell.exe

pid	process
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
2492	9cba67b5a3086744c0d4f831079b319b.exe
1476	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9cba67b5a3086744c0d4f831079b319b.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2492 9cba67b5a3086744c0d4f831079b319b.exe
Token: SeDebugPrivilege 1476 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2492	9cba67b5a3086744c0d4f831079b319b.exe
Token: SeDebugPrivilege	1476	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

9cba67b5a3086744c0d4f831079b319b.exeWScript.exe

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:580
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:840
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:288
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

Filesize
150B

MD5
ed6d432bdbf28ed6ac0cf59692f5e0fe

SHA1
29b388b1b2cf5d2fea4d80088093ec6ea2575ca7

SHA256
452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe

SHA512
9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

Download Submit
memory/1476-20-0x0000000070920000-0x0000000070ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-19-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1476-18-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1476-17-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1476-16-0x0000000070920000-0x0000000070ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-15-0x0000000070920000-0x0000000070ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-3-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/2492-14-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-6-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2492-5-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-4-0x00000000008C0000-0x00000000008DE000-memory.dmp

Filesize
120KB

Download
memory/2492-0-0x00000000000D0000-0x00000000005F0000-memory.dmp

Filesize
5.1MB

Download
memory/2492-2-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2492-1-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2492 wrote to memory of 2224	2492	9cba67b5a3086744c0d4f831079b319b.exe	WScript.exe
PID 2492 wrote to memory of 2224	2492	9cba67b5a3086744c0d4f831079b319b.exe	WScript.exe
PID 2492 wrote to memory of 2224	2492	9cba67b5a3086744c0d4f831079b319b.exe	WScript.exe
PID 2492 wrote to memory of 2224	2492	9cba67b5a3086744c0d4f831079b319b.exe	WScript.exe
PID 2224 wrote to memory of 1476	2224	WScript.exe	powershell.exe
PID 2224 wrote to memory of 1476	2224	WScript.exe	powershell.exe
PID 2224 wrote to memory of 1476	2224	WScript.exe	powershell.exe
PID 2224 wrote to memory of 1476	2224	WScript.exe	powershell.exe
PID 2492 wrote to memory of 580	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 580	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 580	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 580	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2804	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2780	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2864	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2920	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 840	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 288	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 2932	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 1496	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe
PID 2492 wrote to memory of 576	2492	9cba67b5a3086744c0d4f831079b319b.exe	9cba67b5a3086744c0d4f831079b319b.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads