2a0295f5bab05005fd6e3bf733fcb5e5f153674ad01b8aaf2179e05d8580f3c7

General

Target

b7433dc4de9676276bba102f171358aa.exe
Size

403KB
MD5

b7433dc4de9676276bba102f171358aa
SHA1

9c9f39850fe3a414651bab6c81b04b4d6d1523f0
SHA256

2a0295f5bab05005fd6e3bf733fcb5e5f153674ad01b8aaf2179e05d8580f3c7
SHA512

64a8e82899891fc809bf68c0c0a6f6d45e8b0dcba2445b77da2b2bc40895b48431aa8572096589450d48a2272200c4b17c0bc9539f5feaa46503cbfd3482b218
SSDEEP

6144:tBZn9oaRZ0RDG1NQv0Q/ldddHBDcuydIe/vgPux34toGwKMTMjexpnr90T:RlRZrNQv13ddH1crdrRxt4MgqrnyT

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

b7433dc4de9676276bba102f171358aa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\fF02401DfIeL02401\\fF02401DfIeL02401.exe"	b7433dc4de9676276bba102f171358aa.exe

Deletes itself 1 IoCs

Processes:

fF02401DfIeL02401.exe

pid process

2268 fF02401DfIeL02401.exe
Executes dropped EXE 1 IoCs

Processes:

fF02401DfIeL02401.exe

pid process

2268 fF02401DfIeL02401.exe
Loads dropped DLL 2 IoCs

Processes:

b7433dc4de9676276bba102f171358aa.exe

pid process

3028 b7433dc4de9676276bba102f171358aa.exe
3028 b7433dc4de9676276bba102f171358aa.exe

pid	process
2268	fF02401DfIeL02401.exe

pid	process
2268	fF02401DfIeL02401.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3028-1-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/3028-81-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/3028-102-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2268-104-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fF02401DfIeL02401.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fF02401DfIeL02401 = "C:\\ProgramData\\fF02401DfIeL02401\\fF02401DfIeL02401.exe"	fF02401DfIeL02401.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b7433dc4de9676276bba102f171358aa.exe

pid	process
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe
3028	b7433dc4de9676276bba102f171358aa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b7433dc4de9676276bba102f171358aa.exefF02401DfIeL02401.exe

description pid process

Token: SeDebugPrivilege 3028 b7433dc4de9676276bba102f171358aa.exe
Token: SeDebugPrivilege 2268 fF02401DfIeL02401.exe

description	pid	process
Token: SeDebugPrivilege	3028	b7433dc4de9676276bba102f171358aa.exe
Token: SeDebugPrivilege	2268	fF02401DfIeL02401.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b7433dc4de9676276bba102f171358aa.exe

description	pid	process	target process
PID 3028 wrote to memory of 2268	3028	b7433dc4de9676276bba102f171358aa.exe	fF02401DfIeL02401.exe
PID 3028 wrote to memory of 2268	3028	b7433dc4de9676276bba102f171358aa.exe	fF02401DfIeL02401.exe
PID 3028 wrote to memory of 2268	3028	b7433dc4de9676276bba102f171358aa.exe	fF02401DfIeL02401.exe
PID 3028 wrote to memory of 2268	3028	b7433dc4de9676276bba102f171358aa.exe	fF02401DfIeL02401.exe

C:\Users\Admin\AppData\Local\Temp\b7433dc4de9676276bba102f171358aa.exe
"C:\Users\Admin\AppData\Local\Temp\b7433dc4de9676276bba102f171358aa.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\ProgramData\fF02401DfIeL02401\fF02401DfIeL02401.exe
"C:\ProgramData\fF02401DfIeL02401\fF02401DfIeL02401.exe" "C:\Users\Admin\AppData\Local\Temp\b7433dc4de9676276bba102f171358aa.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fF02401DfIeL02401\fF02401DfIeL02401
Filesize
208B

MD5
060fc9695757a2c4fdb5bcab3aaee8cb

SHA1
65c55fc83158a06f5f9b5603750b5dcd5a540884

SHA256
6c25bcf3e808b980701dd7da7167e783b10abc2a8f54c95ab5d7dafb0f541e33

SHA512
9965893c9162ae8889a52a3f68038d952f2f4b3c8453fd54d8509675b2bb553ad09cf136dd44f6e747260bebf0aad430fdb4f6d36c57b3a74c0d31e65aa67514

Download Submit
\ProgramData\fF02401DfIeL02401\fF02401DfIeL02401.exe
Filesize
403KB

MD5
25e1923025bc5c3872ee175f31d7a57f

SHA1
2cc75cc2c4feec1bc916610cc480a5487e5ef8dd

SHA256
5e767d25848773c638f0bf0ffc570debcfca2cd8c3e055191e5ce554ed59467f

SHA512
b29c9927c2e956afcb7014f21d81ccc3840952ef8a3801fae5b5104a25de73f57cb264f24eac04f0888c4b8460353bbe8d7a51aa15e9dd13149dbd34d9c71d22

Download Submit
memory/2268-104-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2268-105-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/3028-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3028-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3028-81-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3028-102-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads