2bdddb09bd97485a8662ccf069a3c10963559f12c23045fa3dd28bc0c56851e4

General

Target

e0108c567b623ef4804638d892ab2fa3.exe
Size

70KB
MD5

e0108c567b623ef4804638d892ab2fa3
SHA1

4e9b33976d8f25eb941883476a0da50fe7726faa
SHA256

2bdddb09bd97485a8662ccf069a3c10963559f12c23045fa3dd28bc0c56851e4
SHA512

85f79109e7f62f9e5618fc42d5ed79aa05ee4cca943048dd4b093cf30709fd76f79e791172890f891ab5e3974abbe26ffd58f3c91478ae7f0c09d83a03bb6e04
SSDEEP

1536:g3Tvc4o6pYScxHmkq6UwmAYzj/8sJQ26bk5NV3h4TFu:go4Y7bdmAWj/JGbl

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	e0108c567b623ef4804638d892ab2fa3.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdthg.exe"	e0108c567b623ef4804638d892ab2fa3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdthg.exe	e0108c567b623ef4804638d892ab2fa3.exe
File opened for modification	C:\Windows\SysWOW64\kdthg.exe	e0108c567b623ef4804638d892ab2fa3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 352 set thread context of 2588	352	e0108c567b623ef4804638d892ab2fa3.exe	29

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo	e0108c567b623ef4804638d892ab2fa3.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International	e0108c567b623ef4804638d892ab2fa3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
352	e0108c567b623ef4804638d892ab2fa3.exe
352	e0108c567b623ef4804638d892ab2fa3.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeSecurityPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeTakeOwnershipPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeLoadDriverPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeSystemProfilePrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeSystemtimePrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeProfSingleProcessPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeIncBasePriorityPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeCreatePagefilePrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeBackupPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeRestorePrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeShutdownPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeDebugPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeSystemEnvironmentPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeChangeNotifyPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeRemoteShutdownPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeUndockPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeManageVolumePrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeImpersonatePrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: SeCreateGlobalPrivilege	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: 33	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: 34	352	e0108c567b623ef4804638d892ab2fa3.exe
Token: 35	352	e0108c567b623ef4804638d892ab2fa3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2536	352	e0108c567b623ef4804638d892ab2fa3.exe	28
PID 352 wrote to memory of 2536	352	e0108c567b623ef4804638d892ab2fa3.exe	28
PID 352 wrote to memory of 2536	352	e0108c567b623ef4804638d892ab2fa3.exe	28
PID 352 wrote to memory of 2536	352	e0108c567b623ef4804638d892ab2fa3.exe	28
PID 352 wrote to memory of 2588	352	e0108c567b623ef4804638d892ab2fa3.exe	29
PID 352 wrote to memory of 2588	352	e0108c567b623ef4804638d892ab2fa3.exe	29
PID 352 wrote to memory of 2588	352	e0108c567b623ef4804638d892ab2fa3.exe	29
PID 352 wrote to memory of 2588	352	e0108c567b623ef4804638d892ab2fa3.exe	29

C:\Users\Admin\AppData\Local\Temp\e0108c567b623ef4804638d892ab2fa3.exe
"C:\Users\Admin\AppData\Local\Temp\e0108c567b623ef4804638d892ab2fa3.exe"
1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:2536
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/352-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/352-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/352-1-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/352-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads