a484b9176fd8e829c2cc1431b58104a0ebf30689fd711a2668cef79190c9fe2f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c83b3b4c5f291166d4cde0a99544fa3b.exe
Size

110KB
MD5

c83b3b4c5f291166d4cde0a99544fa3b
SHA1

4152b20fac52ecbbe6c833d1cee0b1b16fde55b6
SHA256

a484b9176fd8e829c2cc1431b58104a0ebf30689fd711a2668cef79190c9fe2f
SHA512

94ed80d44c7e3babfce4360fd617aa7406a854375d2040e36691240709785185dd59270d8aef57010db8e4cbc6511c0fd2c86064bef6127a03293dc61d3a8d09
SSDEEP

3072:v1DN/FdTN43femJOBvNgH2T723dztZzv6vQElv:zF7+2mABvNgkitztZjm

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\svchost.exe"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4492	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.exe	c83b3b4c5f291166d4cde0a99544fa3b.exe
File created	C:\Windows\svchost.exe	c83b3b4c5f291166d4cde0a99544fa3b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4492	3932	c83b3b4c5f291166d4cde0a99544fa3b.exe	91
PID 3932 wrote to memory of 4492	3932	c83b3b4c5f291166d4cde0a99544fa3b.exe	91
PID 3932 wrote to memory of 4492	3932	c83b3b4c5f291166d4cde0a99544fa3b.exe	91

C:\Users\Admin\AppData\Local\Temp\c83b3b4c5f291166d4cde0a99544fa3b.exe
"C:\Users\Admin\AppData\Local\Temp\c83b3b4c5f291166d4cde0a99544fa3b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe 472 "C:\Users\Admin\AppData\Local\Temp\c83b3b4c5f291166d4cde0a99544fa3b.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
110KB

MD5
c83b3b4c5f291166d4cde0a99544fa3b

SHA1
4152b20fac52ecbbe6c833d1cee0b1b16fde55b6

SHA256
a484b9176fd8e829c2cc1431b58104a0ebf30689fd711a2668cef79190c9fe2f

SHA512
94ed80d44c7e3babfce4360fd617aa7406a854375d2040e36691240709785185dd59270d8aef57010db8e4cbc6511c0fd2c86064bef6127a03293dc61d3a8d09

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads