28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

Resubmissions

10-04-2024 11:59

240410-n5sxrsaa2t 10

10-04-2024 11:59

10-04-2024 11:59

10-04-2024 11:59

15-02-2024 02:33

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cba67b5a3086744c0d4f831079b319b.exe
Size

5.1MB
MD5

9cba67b5a3086744c0d4f831079b319b
SHA1

9db9ea7ad37fb54ada8486ce1bb5a4dab489186e
SHA256

28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486
SHA512

57cdd4cc35e8148cfed304cce7af9d43df50acc5fe2ec3a85c72723ba18e6153f16031ced478273292dabd95005da4a145656285e932d85569333f9dc740b649
SSDEEP

98304:NVJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jCP:7pOwu2t26uqRsnf2VXvD6jC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome\\google\\chrome.exe\","	9cba67b5a3086744c0d4f831079b319b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2172	9cba67b5a3086744c0d4f831079b319b.exe
2552	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	9cba67b5a3086744c0d4f831079b319b.exe
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2436	2172	9cba67b5a3086744c0d4f831079b319b.exe	30
PID 2172 wrote to memory of 2436	2172	9cba67b5a3086744c0d4f831079b319b.exe	30
PID 2172 wrote to memory of 2436	2172	9cba67b5a3086744c0d4f831079b319b.exe	30
PID 2172 wrote to memory of 2436	2172	9cba67b5a3086744c0d4f831079b319b.exe	30
PID 2436 wrote to memory of 2552	2436	WScript.exe	31
PID 2436 wrote to memory of 2552	2436	WScript.exe	31
PID 2436 wrote to memory of 2552	2436	WScript.exe	31
PID 2436 wrote to memory of 2552	2436	WScript.exe	31
PID 2172 wrote to memory of 1936	2172	9cba67b5a3086744c0d4f831079b319b.exe	33
PID 2172 wrote to memory of 1936	2172	9cba67b5a3086744c0d4f831079b319b.exe	33
PID 2172 wrote to memory of 1936	2172	9cba67b5a3086744c0d4f831079b319b.exe	33
PID 2172 wrote to memory of 1936	2172	9cba67b5a3086744c0d4f831079b319b.exe	33
PID 2172 wrote to memory of 2960	2172	9cba67b5a3086744c0d4f831079b319b.exe	34
PID 2172 wrote to memory of 2960	2172	9cba67b5a3086744c0d4f831079b319b.exe	34
PID 2172 wrote to memory of 2960	2172	9cba67b5a3086744c0d4f831079b319b.exe	34
PID 2172 wrote to memory of 2960	2172	9cba67b5a3086744c0d4f831079b319b.exe	34
PID 2172 wrote to memory of 2316	2172	9cba67b5a3086744c0d4f831079b319b.exe	35
PID 2172 wrote to memory of 2316	2172	9cba67b5a3086744c0d4f831079b319b.exe	35
PID 2172 wrote to memory of 2316	2172	9cba67b5a3086744c0d4f831079b319b.exe	35
PID 2172 wrote to memory of 2316	2172	9cba67b5a3086744c0d4f831079b319b.exe	35
PID 2172 wrote to memory of 2520	2172	9cba67b5a3086744c0d4f831079b319b.exe	36
PID 2172 wrote to memory of 2520	2172	9cba67b5a3086744c0d4f831079b319b.exe	36
PID 2172 wrote to memory of 2520	2172	9cba67b5a3086744c0d4f831079b319b.exe	36
PID 2172 wrote to memory of 2520	2172	9cba67b5a3086744c0d4f831079b319b.exe	36
PID 2172 wrote to memory of 2832	2172	9cba67b5a3086744c0d4f831079b319b.exe	37
PID 2172 wrote to memory of 2832	2172	9cba67b5a3086744c0d4f831079b319b.exe	37
PID 2172 wrote to memory of 2832	2172	9cba67b5a3086744c0d4f831079b319b.exe	37
PID 2172 wrote to memory of 2832	2172	9cba67b5a3086744c0d4f831079b319b.exe	37
PID 2172 wrote to memory of 2820	2172	9cba67b5a3086744c0d4f831079b319b.exe	38
PID 2172 wrote to memory of 2820	2172	9cba67b5a3086744c0d4f831079b319b.exe	38
PID 2172 wrote to memory of 2820	2172	9cba67b5a3086744c0d4f831079b319b.exe	38
PID 2172 wrote to memory of 2820	2172	9cba67b5a3086744c0d4f831079b319b.exe	38
PID 2172 wrote to memory of 2836	2172	9cba67b5a3086744c0d4f831079b319b.exe	39
PID 2172 wrote to memory of 2836	2172	9cba67b5a3086744c0d4f831079b319b.exe	39
PID 2172 wrote to memory of 2836	2172	9cba67b5a3086744c0d4f831079b319b.exe	39
PID 2172 wrote to memory of 2836	2172	9cba67b5a3086744c0d4f831079b319b.exe	39
PID 2172 wrote to memory of 2844	2172	9cba67b5a3086744c0d4f831079b319b.exe	40
PID 2172 wrote to memory of 2844	2172	9cba67b5a3086744c0d4f831079b319b.exe	40
PID 2172 wrote to memory of 2844	2172	9cba67b5a3086744c0d4f831079b319b.exe	40
PID 2172 wrote to memory of 2844	2172	9cba67b5a3086744c0d4f831079b319b.exe	40
PID 2172 wrote to memory of 2824	2172	9cba67b5a3086744c0d4f831079b319b.exe	41
PID 2172 wrote to memory of 2824	2172	9cba67b5a3086744c0d4f831079b319b.exe	41
PID 2172 wrote to memory of 2824	2172	9cba67b5a3086744c0d4f831079b319b.exe	41
PID 2172 wrote to memory of 2824	2172	9cba67b5a3086744c0d4f831079b319b.exe	41
PID 2172 wrote to memory of 2940	2172	9cba67b5a3086744c0d4f831079b319b.exe	42
PID 2172 wrote to memory of 2940	2172	9cba67b5a3086744c0d4f831079b319b.exe	42
PID 2172 wrote to memory of 2940	2172	9cba67b5a3086744c0d4f831079b319b.exe	42
PID 2172 wrote to memory of 2940	2172	9cba67b5a3086744c0d4f831079b319b.exe	42

C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
"C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\chrome\google\chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  C:\Users\Admin\AppData\Local\Temp\9cba67b5a3086744c0d4f831079b319b.exe
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Hvpysyhfnmjvko.vbs

Filesize
150B

MD5
ed6d432bdbf28ed6ac0cf59692f5e0fe

SHA1
29b388b1b2cf5d2fea4d80088093ec6ea2575ca7

SHA256
452fac0c3baa72fa34a9089c390659b7438da3bc0e3e36a2e54de253492d61fe

SHA512
9879be1e14bc9b16a4743baf730261e474b3916fe84ea95d3b58ef57d924ec573434fc2530860ef74786e69d0480552b15049a276d88cf769a26b94a9c73446e

Download Submit
memory/2172-6-0x0000000004620000-0x0000000004660000-memory.dmp

Filesize
256KB

Download
memory/2172-14-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-3-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/2172-4-0x00000000008C0000-0x00000000008DE000-memory.dmp

Filesize
120KB

Download
memory/2172-5-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-0-0x0000000000270000-0x0000000000790000-memory.dmp

Filesize
5.1MB

Download
memory/2172-2-0x0000000004620000-0x0000000004660000-memory.dmp

Filesize
256KB

Download
memory/2552-15-0x00000000714C0000-0x0000000071A6B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-16-0x00000000714C0000-0x0000000071A6B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-17-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2552-19-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2552-18-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/2552-20-0x00000000714C0000-0x0000000071A6B000-memory.dmp

Filesize
5.7MB

Download