3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1821s
max time network
1819s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
Size

357KB
MD5

ec3f1de3d4cbf11a03d8b009e304670b
SHA1

09e5d173dac5fc4afd3954017b39375f00f32ebe
SHA256

299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88
SHA512

e78a3724a53a780a7ee85ceabd325dbb778b0d2dc7ac13b5ba8e0b5698eaafbbe22bb2edff78324ec86c97e7749ae92b77f675bb9259a7287ec031f0ba293a67
SSDEEP

6144:x5mYqVMTMrX5MvgEJBe/OtpgJwOEV71iR4K/Rlxz7WAkDNoIpa4d46/:xjqVOMrXWvgEfe0UwtoZ7JkD84K

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\das5A9E.tmp"	das5A9E.tmp

Deletes itself 1 IoCs

pid	Process
1884	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	das5A9E.tmp

Loads dropped DLL 3 IoCs

pid	Process
3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1968	das5A9E.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1968	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	31
PID 3004 wrote to memory of 1968	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	31
PID 3004 wrote to memory of 1968	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	31
PID 3004 wrote to memory of 1968	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	31
PID 1968 wrote to memory of 112	1968	das5A9E.tmp	32
PID 1968 wrote to memory of 112	1968	das5A9E.tmp	32
PID 1968 wrote to memory of 112	1968	das5A9E.tmp	32
PID 1968 wrote to memory of 112	1968	das5A9E.tmp	32
PID 112 wrote to memory of 556	112	cmd.exe	34
PID 112 wrote to memory of 556	112	cmd.exe	34
PID 112 wrote to memory of 556	112	cmd.exe	34
PID 112 wrote to memory of 556	112	cmd.exe	34
PID 3004 wrote to memory of 1884	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	35
PID 3004 wrote to memory of 1884	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	35
PID 3004 wrote to memory of 1884	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	35
PID 3004 wrote to memory of 1884	3004	299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe	35

C:\Users\Admin\AppData\Local\Temp\299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
"C:\Users\Admin\AppData\Local\Temp\299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\das5A9E.tmp
  C:\Users\Admin\AppData\Local\Temp\das5A9E.tmp
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "route.exe print > "C:\Users\Admin\AppData\Local\Temp\das5A9E.tda""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\ROUTE.EXE
      route.exe print
      4⤵
      PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\gtr.bat
  2⤵
  - Deletes itself
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\das5A9E.tda

Filesize
2KB

MD5
ebc2231eafbca4d102df7ed6784fc54e

SHA1
4c1acf7491365e94c6f056c7b7b344c0fdf493a8

SHA256
83feaa4f4e22c3b0eb179f585b8167d18c918d7fe7f9785f06c7ee0b99e39db0

SHA512
4f36bc4d431fec7f5efe70879b5085a59d4fa394ea9fad5c64cf6f48e0d093d1dd565d88dd95e9e67588f806ab0db8840f45cfd451445f6941c3160e33a28cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtr.bat

Filesize
173B

MD5
d50eb0e96c56007bbfe847aa3ab083cf

SHA1
e1f9d78769edfa21a1ca1aca2dac54e5d7875efd

SHA256
9b7977ddf67bcbede41516df41dd17dfd06bdfa87f37cbefad2a911200c4e0e9

SHA512
47fd232b5122c69b2815b199dcdc418efaaf8b7d96fa5e04fe03f71e1caa5e549657ce762c58026dc6f9e45a9892a01e7738e2b0a4fd409cf29b72c9a2da5bf2

Download Submit
\Users\Admin\AppData\Local\Temp\das5A9E.tmp

Filesize
332KB

MD5
232ce53e89118aad67724197891dceff

SHA1
186e085879777b04ea7badb98c011b9e3908890a

SHA256
b9653633a232b06cf427dd6c5990c3adc5efadbd431d2e36e24c7a00320135f3

SHA512
043f3ed46a7ec7999a8bd08e31a270d55a9e06f7c884657017daa4c10085c926f634a8b97da343ded69c1d71463cf93e0af8e32405f5805752c785165de03367

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\userlib.dll

Filesize
112KB

MD5
3189668d248fc1aff2a598bd5753306e

SHA1
b425fb1c9e0b026fc309f8737ee0fe0411337aa3

SHA256
27936753026202064168fd6ebc3e258769198b41c25b7a7318a208c0e97ebaa4

SHA512
0bf6178c6267b1caf261dd75edf358e712419648d8e5bdb2ca65ad113b383d965415dce7ecaa30dd209884760e5843ed31653404f23508a83dcc938e10ffbefe

Download Submit