514800ca5b5162ad8aab542f41654a2c7b3790537543691313bb74addd351176 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ctmon.exe
Size

5.2MB
Sample

240225-tlr41sgd6w
MD5

d7ca45659894912607bfb4e3c969379a
SHA1

c930fe71cee79cadddb5330ab15e107f5551643c
SHA256

514800ca5b5162ad8aab542f41654a2c7b3790537543691313bb74addd351176
SHA512

eb2ccbbb7b2dec1bdf1fe3d9826f9a67d6b024e48acfd8f451269c837b08d51f7450aa5e440c0c5bda7e1a371a2a279403c34a5179c13bac5924d6c4906188f1
SSDEEP

98304:nrAdIvTJvpwfDtnPfTkiHEixVHShWQq7Sx+wl5lHbTisC7oish2Z:rdTM7tnPfTyiGq7lmHrqsh2Z

Score

10^/10

persistence

Malware Config

Targets

- Target
  
  ctmon.exe
- Size
  
  5.2MB
- MD5
  
  d7ca45659894912607bfb4e3c969379a
- SHA1
  
  c930fe71cee79cadddb5330ab15e107f5551643c
- SHA256
  
  514800ca5b5162ad8aab542f41654a2c7b3790537543691313bb74addd351176
- SHA512
  
  eb2ccbbb7b2dec1bdf1fe3d9826f9a67d6b024e48acfd8f451269c837b08d51f7450aa5e440c0c5bda7e1a371a2a279403c34a5179c13bac5924d6c4906188f1
- SSDEEP
  
  98304:nrAdIvTJvpwfDtnPfTkiHEixVHShWQq7Sx+wl5lHbTisC7oish2Z:rdTM7tnPfTyiGq7lmHrqsh2Z
Score

10^/10

persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Registers new Windows logon scripts automatically executed at logon.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Initialization Scripts

Logon Script (Windows)

Privilege Escalation

Boot or Logon Initialization Scripts

Logon Script (Windows)

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1