c3e1c1f1d8bfeebb2aa7b97f8ba61d8a9c41e54a73f223141332d080aaa95de3

General

Target

bb3489733dd75ee9c4d66b11ee74d447.exe
Size

348KB
MD5

bb3489733dd75ee9c4d66b11ee74d447
SHA1

261ff8a92b8d7aadb557961e20cf9c13277deb6f
SHA256

c3e1c1f1d8bfeebb2aa7b97f8ba61d8a9c41e54a73f223141332d080aaa95de3
SHA512

93248841168115fec74eb587e26541e376890d492f7a5fca04456f5899ae828b8314243654214325e89b4b321a4a560f43bcbba674b653e0ffdd3e9ed0057f0b
SSDEEP

3072:JpIGmvln+RX0GWDocLiAqq02JtXcuVchWdsItjIj3XOXjC+/c:QGmvlYD0o+cuWUNtYOtc

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	bb3489733dd75ee9c4d66b11ee74d447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2952	netsh.exe

Deletes itself 1 IoCs

pid	Process
1852	winlogon.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3248-1-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3248-5-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3248-22-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-24-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-26-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-27-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-28-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-30-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-31-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-32-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-33-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-34-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1852-35-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	bb3489733dd75ee9c4d66b11ee74d447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	bb3489733dd75ee9c4d66b11ee74d447.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	3248	WerFault.exe	87

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3248	bb3489733dd75ee9c4d66b11ee74d447.exe
1852	winlogon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2952	3248	bb3489733dd75ee9c4d66b11ee74d447.exe	99
PID 3248 wrote to memory of 2952	3248	bb3489733dd75ee9c4d66b11ee74d447.exe	99
PID 3248 wrote to memory of 2952	3248	bb3489733dd75ee9c4d66b11ee74d447.exe	99
PID 3248 wrote to memory of 1852	3248	bb3489733dd75ee9c4d66b11ee74d447.exe	100
PID 3248 wrote to memory of 1852	3248	bb3489733dd75ee9c4d66b11ee74d447.exe	100
PID 3248 wrote to memory of 1852	3248	bb3489733dd75ee9c4d66b11ee74d447.exe	100

C:\Users\Admin\AppData\Local\Temp\bb3489733dd75ee9c4d66b11ee74d447.exe
"C:\Users\Admin\AppData\Local\Temp\bb3489733dd75ee9c4d66b11ee74d447.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" CityScape Enable
  2⤵
  - Modifies Windows Firewall
  PID:2952
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  /d C:\Users\Admin\AppData\Local\Temp\bb3489733dd75ee9c4d66b11ee74d447.exe
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 776
  2⤵
  - Program crash
  PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3248 -ip 3248
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ntlrXqcN

Filesize
51KB

MD5
bde69ccb31786ccdd00935af634b2a99

SHA1
a2a70ae523fb5ba6a553ed0fb5a805984d3221b6

SHA256
07dd7ec4eaa7982455b9d58fd29c0c22f08212d89aa855d1eae21c0f91829a17

SHA512
b7ae244edf83e8e99be079ef84353d92f6b46060eecb7ed0a10d9444d1119d7b85b6e97a014028a3702a3099b5067bd50c1da372a5c22f0d173bb64d9fa78c61

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
348KB

MD5
15dcaef0389ab787ce9910730b9c851e

SHA1
7387214e38184f1a6a92e0b63378ae027e1d0508

SHA256
07bc5d3190a22052acc2374723b3fd9bb672322d78db6d9b52075d746c4dacf1

SHA512
ccb58c17aca09b94398a3600e6b654db8b66c3796c5bb62c5c4c00c19e43563fc59b7db43508433d5fb1a42f79b3fc2b6817355963a7a207e059c5f80cf73d35

Download Submit
memory/1852-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-28-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-31-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3248-5-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3248-0-0x0000000000670000-0x00000000006C9000-memory.dmp

Filesize
356KB

Download
memory/3248-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3248-1-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads