Analysis Overview
SHA256
994302eb33e3da38c27165b7ee9166f880faf46e353d4f21ae5d4d2f832494b0
Threat Level: Known bad
The file b35cd39d4d132e5fdd1561644f1d7f4c was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
ASPack v2.12-2.42
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 00:49
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 00:49
Reported
2024-03-05 00:51
Platform
win7-20240221-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\ntos.exe," | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
| File created | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe
"C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe"
Network
Files
memory/1308-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1308-4-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 00:49
Reported
2024-03-05 00:51
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
154s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe," | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
| File created | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe
"C:\Users\Admin\AppData\Local\Temp\b35cd39d4d132e5fdd1561644f1d7f4c.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/1264-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1264-2-0x0000000000400000-0x000000000042B000-memory.dmp
memory/612-15-0x0000000000400000-0x000000000042B000-memory.dmp
memory/612-24-0x0000000012D80000-0x0000000012DAB000-memory.dmp
memory/612-33-0x0000000012DB0000-0x0000000012DDB000-memory.dmp
memory/612-42-0x0000000012DE0000-0x0000000012E0B000-memory.dmp
memory/612-51-0x0000000012E10000-0x0000000012E3B000-memory.dmp
memory/612-60-0x0000000012E40000-0x0000000012E6B000-memory.dmp
memory/612-69-0x0000000012E70000-0x0000000012E9B000-memory.dmp
memory/612-78-0x0000000012EA0000-0x0000000012ECB000-memory.dmp
memory/612-87-0x0000000012ED0000-0x0000000012EFB000-memory.dmp
memory/612-96-0x0000000012F00000-0x0000000012F2B000-memory.dmp
memory/612-105-0x0000000012F30000-0x0000000012F5B000-memory.dmp
memory/612-114-0x0000000012F60000-0x0000000012F8B000-memory.dmp
memory/612-123-0x0000000012F90000-0x0000000012FBB000-memory.dmp
memory/612-132-0x0000000012FC0000-0x0000000012FEB000-memory.dmp
memory/612-141-0x0000000012FF0000-0x000000001301B000-memory.dmp
memory/612-150-0x0000000013020000-0x000000001304B000-memory.dmp
memory/612-159-0x0000000013050000-0x000000001307B000-memory.dmp
memory/612-168-0x0000000013080000-0x00000000130AB000-memory.dmp
memory/612-177-0x00000000130B0000-0x00000000130DB000-memory.dmp
memory/612-186-0x00000000130E0000-0x000000001310B000-memory.dmp
memory/612-195-0x0000000013110000-0x000000001313B000-memory.dmp
memory/612-204-0x0000000013140000-0x000000001316B000-memory.dmp
memory/612-213-0x0000000013170000-0x000000001319B000-memory.dmp
memory/612-222-0x00000000131A0000-0x00000000131CB000-memory.dmp
memory/612-231-0x00000000131D0000-0x00000000131FB000-memory.dmp
memory/612-240-0x0000000013200000-0x000000001322B000-memory.dmp
memory/612-249-0x0000000013230000-0x000000001325B000-memory.dmp
memory/612-258-0x0000000013260000-0x000000001328B000-memory.dmp
memory/612-267-0x0000000013290000-0x00000000132BB000-memory.dmp
memory/612-276-0x00000000132C0000-0x00000000132EB000-memory.dmp
memory/612-285-0x00000000132F0000-0x000000001331B000-memory.dmp
memory/612-294-0x0000000013320000-0x000000001334B000-memory.dmp
memory/612-303-0x0000000013350000-0x000000001337B000-memory.dmp
memory/612-312-0x0000000013380000-0x00000000133AB000-memory.dmp
memory/612-321-0x00000000133B0000-0x00000000133DB000-memory.dmp
memory/612-330-0x00000000133E0000-0x000000001340B000-memory.dmp
memory/612-339-0x0000000013410000-0x000000001343B000-memory.dmp
memory/612-348-0x0000000013440000-0x000000001346B000-memory.dmp
memory/612-357-0x0000000013470000-0x000000001349B000-memory.dmp
memory/612-366-0x00000000134A0000-0x00000000134CB000-memory.dmp
memory/612-375-0x00000000134D0000-0x00000000134FB000-memory.dmp
memory/612-384-0x0000000013500000-0x000000001352B000-memory.dmp
memory/612-393-0x0000000013530000-0x000000001355B000-memory.dmp
memory/612-402-0x0000000013560000-0x000000001358B000-memory.dmp
memory/612-411-0x0000000013590000-0x00000000135BB000-memory.dmp
memory/612-420-0x00000000135C0000-0x00000000135EB000-memory.dmp
memory/612-429-0x00000000135F0000-0x000000001361B000-memory.dmp
memory/612-438-0x0000000013620000-0x000000001364B000-memory.dmp
memory/612-447-0x0000000013650000-0x000000001367B000-memory.dmp
memory/612-456-0x0000000013680000-0x00000000136AB000-memory.dmp
memory/612-465-0x00000000136B0000-0x00000000136DB000-memory.dmp
memory/612-474-0x00000000136E0000-0x000000001370B000-memory.dmp
memory/612-483-0x0000000013710000-0x000000001373B000-memory.dmp
memory/612-492-0x0000000013740000-0x000000001376B000-memory.dmp
memory/612-501-0x0000000013770000-0x000000001379B000-memory.dmp
memory/612-510-0x00000000137A0000-0x00000000137CB000-memory.dmp
memory/612-519-0x00000000137D0000-0x00000000137FB000-memory.dmp
memory/612-528-0x0000000013800000-0x000000001382B000-memory.dmp
memory/612-537-0x0000000013830000-0x000000001385B000-memory.dmp
memory/612-546-0x0000000013860000-0x000000001388B000-memory.dmp
memory/612-555-0x0000000013890000-0x00000000138BB000-memory.dmp
memory/612-564-0x00000000138C0000-0x00000000138EB000-memory.dmp