9a81134b3c673ae7acec80878e046efd88a5fd616a9409e40954d9a265cd7761

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9c94e7de16ae088cc9bece32c264812.exe
Size

171KB
MD5

c9c94e7de16ae088cc9bece32c264812
SHA1

a05982bf41654726e8db9a910b6fb4a8aba4fa81
SHA256

9a81134b3c673ae7acec80878e046efd88a5fd616a9409e40954d9a265cd7761
SHA512

0405116b797e2e43f8407aca721981f422175480be2c60758d406569372a25adf37ad9f577af748e6c906d3340fdcbe7e2561040c0aa88c77d579ac48da9f364
SSDEEP

3072:dcH4QQKq6uewjct8lYpiYWbSsuQhaP4FGWNG3kUD7hJzIyjLhn3WLf5HGmC:+hQN6ujXYppWbSNQcP4FGkir5JzIShnR

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,explorer.exe"	c9c94e7de16ae088cc9bece32c264812.exe

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\explorer.exe	c9c94e7de16ae088cc9bece32c264812.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	c9c94e7de16ae088cc9bece32c264812.exe
File created	C:\Windows\SysWOW64\hh.exe	c9c94e7de16ae088cc9bece32c264812.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1772	1152	c9c94e7de16ae088cc9bece32c264812.exe	28
PID 1152 wrote to memory of 1772	1152	c9c94e7de16ae088cc9bece32c264812.exe	28
PID 1152 wrote to memory of 1772	1152	c9c94e7de16ae088cc9bece32c264812.exe	28
PID 1152 wrote to memory of 1772	1152	c9c94e7de16ae088cc9bece32c264812.exe	28
PID 1152 wrote to memory of 2252	1152	c9c94e7de16ae088cc9bece32c264812.exe	29
PID 1152 wrote to memory of 2252	1152	c9c94e7de16ae088cc9bece32c264812.exe	29
PID 1152 wrote to memory of 2252	1152	c9c94e7de16ae088cc9bece32c264812.exe	29
PID 1152 wrote to memory of 2252	1152	c9c94e7de16ae088cc9bece32c264812.exe	29

C:\Users\Admin\AppData\Local\Temp\c9c94e7de16ae088cc9bece32c264812.exe
"C:\Users\Admin\AppData\Local\Temp\c9c94e7de16ae088cc9bece32c264812.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\c9c94e7de16ae088cc9bece32c264812.exe.de.bat
  2⤵
  - Deletes itself
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c9c94e7de16ae088cc9bece32c264812.exe.de.bat

Filesize
263B

MD5
1502496305fbcb680c51aa65cab46e66

SHA1
02f36086e9258f947e5383c158f4fbd573cd3132

SHA256
d6a67411c9ecff318dfa50492d43ccd7b78fd3af45da376c816065734d148bc4

SHA512
cafb885db42698c0e8295ddfa8cde9add5cdb1b64134d3503d88268b55b7158e27283e1c327d4eb8a24ebbd5af46797a173f9a6255c8c6558804e59b075f6763

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads