0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f

General

Target

0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
Size

1.3MB
MD5

fe11f252a14d3eda9a9fd40627a49b42
SHA1

6feb47b70a0028bcd8482b301dc1c2286ac1cda9
SHA256

0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f
SHA512

2fc3b6ef8686fe96abbbe2f7b98177d02060e992a69662a70e842b4ece89130d3dceadb0d79bd9b7002f90eb5cad04b16a5d01b595530b575ff1c3b405bd2d7e
SSDEEP

24576:+fVE9JOwLpXSel31n20ESW9AR3lL3VIGtdoXwEhBQgAGaCKJ1wSvXhJNE8x4Dd2z:+fVE9nLpXf1yCdK4B2a

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Program Files (x86)\\CN23AEAHR00001S.exe,"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	CN23AEAHR00001S.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CN23AEAHR00001S.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\CN23AEAHR00001S.exe	cmd.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3928	PING.EXE
3756	PING.EXE
3056	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2124	CN23AEAHR00001S.exe
2124	CN23AEAHR00001S.exe
2124	CN23AEAHR00001S.exe
2124	CN23AEAHR00001S.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
Token: SeDebugPrivilege	2124	CN23AEAHR00001S.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4436	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	93
PID 1208 wrote to memory of 4436	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	93
PID 1208 wrote to memory of 4436	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	93
PID 4436 wrote to memory of 3756	4436	cmd.exe	96
PID 4436 wrote to memory of 3756	4436	cmd.exe	96
PID 4436 wrote to memory of 3756	4436	cmd.exe	96
PID 1208 wrote to memory of 4460	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	105
PID 1208 wrote to memory of 4460	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	105
PID 1208 wrote to memory of 4460	1208	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	105
PID 4460 wrote to memory of 3056	4460	cmd.exe	107
PID 4460 wrote to memory of 3056	4460	cmd.exe	107
PID 4460 wrote to memory of 3056	4460	cmd.exe	107
PID 4436 wrote to memory of 4940	4436	cmd.exe	115
PID 4436 wrote to memory of 4940	4436	cmd.exe	115
PID 4436 wrote to memory of 4940	4436	cmd.exe	115
PID 4460 wrote to memory of 3928	4460	cmd.exe	117
PID 4460 wrote to memory of 3928	4460	cmd.exe	117
PID 4460 wrote to memory of 3928	4460	cmd.exe	117
PID 4460 wrote to memory of 2124	4460	cmd.exe	118
PID 4460 wrote to memory of 2124	4460	cmd.exe	118
PID 4460 wrote to memory of 2124	4460	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
"C:\Users\Admin\AppData\Local\Temp\0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Program Files (x86)\CN23AEAHR00001S.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 38
    3⤵
    - Runs ping.exe
    PID:3756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Program Files (x86)\CN23AEAHR00001S.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\Admin\AppData\Local\Temp\0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe" "C:\Program Files (x86)\CN23AEAHR00001S.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Program Files (x86)\CN23AEAHR00001S.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 49
    3⤵
    - Runs ping.exe
    PID:3056
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 49
    3⤵
    - Runs ping.exe
    PID:3928
- - C:\Program Files (x86)\CN23AEAHR00001S.exe
    "C:\Program Files (x86)\CN23AEAHR00001S.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CN23AEAHR00001S.exe

Filesize
1.3MB

MD5
fe11f252a14d3eda9a9fd40627a49b42

SHA1
6feb47b70a0028bcd8482b301dc1c2286ac1cda9

SHA256
0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f

SHA512
2fc3b6ef8686fe96abbbe2f7b98177d02060e992a69662a70e842b4ece89130d3dceadb0d79bd9b7002f90eb5cad04b16a5d01b595530b575ff1c3b405bd2d7e

Download Submit
memory/1208-8-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

Filesize
64KB

Download
memory/1208-10-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

Filesize
64KB

Download
memory/1208-3-0x0000000005820000-0x00000000058BC000-memory.dmp

Filesize
624KB

Download
memory/1208-4-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

Filesize
64KB

Download
memory/1208-5-0x0000000005AC0000-0x0000000005B04000-memory.dmp

Filesize
272KB

Download
memory/1208-6-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/1208-7-0x0000000005CF0000-0x0000000005CFA000-memory.dmp

Filesize
40KB

Download
memory/1208-0-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1208-2-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/1208-11-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

Filesize
64KB

Download
memory/1208-9-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1208-13-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1208-1-0x0000000000110000-0x000000000025A000-memory.dmp

Filesize
1.3MB

Download
memory/2124-19-0x0000000000E30000-0x0000000000F7A000-memory.dmp

Filesize
1.3MB

Download
memory/2124-20-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/2124-21-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2124-22-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads