3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1800s
max time network
1564s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe
Size

374KB
MD5

4cdf272264c0a1ac4ece4df6f1da1402
SHA1

b75672a775a6ded522c8b3f294fd323819e1ac30
SHA256

51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54
SHA512

d08e14f704de9238190d1955bee6378e8e0223cf581c42df605a4000f4ccb72c5187d9a60bec58d6ece9ab76538d88e2a072526f6e16515c351ab010d6e24103
SSDEEP

6144:VaLnnkc+VVufoje7H4p7ai1sNBG40os/b1iTBdl7yAOxckNM9VN:VaTneVw7Yp31sNqos/BiTTl7yNa

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\513086~1.EXE"	51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe

pid process

1940 51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe

pid	process
1940	51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.execmd.exe

description	pid	process	target process
PID 1940 wrote to memory of 2360	1940	51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe	cmd.exe
PID 1940 wrote to memory of 2360	1940	51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe	cmd.exe
PID 1940 wrote to memory of 2360	1940	51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe	cmd.exe
PID 1940 wrote to memory of 2360	1940	51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe	cmd.exe
PID 2360 wrote to memory of 1508	2360	cmd.exe	ROUTE.EXE
PID 2360 wrote to memory of 1508	2360	cmd.exe	ROUTE.EXE
PID 2360 wrote to memory of 1508	2360	cmd.exe	ROUTE.EXE
PID 2360 wrote to memory of 1508	2360	cmd.exe	ROUTE.EXE

C:\Users\Admin\AppData\Local\Temp\51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe
"C:\Users\Admin\AppData\Local\Temp\51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /C "route.exe print > "C:\Users\Admin\AppData\Local\Temp\51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.gfd""
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\ROUTE.EXE
route.exe print
3⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.gfd
Filesize
2KB

MD5
2866e350fb6df0af4f096cae8aefe775

SHA1
a088f11e3b4dec4ae108d50cee1266cb9c3f608e

SHA256
91d4b6f90b63af5d62f4bba7dd4dbbf45f5554aa85f7ed9e37102e4ebb4df3eb

SHA512
5100bc3534aa06a706cbe6a6049291e13e9cb2656940923dc5b8c851df2593b68c2787c82363833f514d0b0961e470f882eb1d92e9f6795bfd07effcc112f9b3

Download Submit