7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3

General

Target

7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe
Size

116KB
MD5

82d00fa329d9532026902fed16db9f9b
SHA1

22c9a4c137669904c480ba952cf574b8c1699eb0
SHA256

7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3
SHA512

c6057e3fa8103f57cf10bd59f1b660a1d52dcfff6285bafc2e1398aa349b6f0d66b619e0fc2145adf344c0ed3fed0997991117e51f64f392e105a4b9698fbd8e
SSDEEP

3072:qJO248B0EMlIHfbHPwYV/wlmNie0ROfOl/:qTLSzIHfMYV/9i1z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2892	winlgon.exe
2636	rgsvr32.exe

Loads dropped DLL 4 IoCs

pid	Process
2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe
2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe
2892	winlgon.exe
2892	winlgon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	DllHost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe
2892	winlgon.exe
2892	winlgon.exe
2892	winlgon.exe
2892	winlgon.exe
2892	winlgon.exe
2892	winlgon.exe
2636	rgsvr32.exe
2636	rgsvr32.exe
2636	rgsvr32.exe
2636	rgsvr32.exe
2892	winlgon.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2892	2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe	28
PID 2744 wrote to memory of 2892	2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe	28
PID 2744 wrote to memory of 2892	2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe	28
PID 2744 wrote to memory of 2892	2744	7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe	28
PID 2892 wrote to memory of 2636	2892	winlgon.exe	29
PID 2892 wrote to memory of 2636	2892	winlgon.exe	29
PID 2892 wrote to memory of 2636	2892	winlgon.exe	29
PID 2892 wrote to memory of 2636	2892	winlgon.exe	29

C:\Users\Admin\AppData\Local\Temp\7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe
"C:\Users\Admin\AppData\Local\Temp\7f5bffab7f5ae745a10b09e4d50328676f513b0c2006208bf474c2fb264d02f3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2636

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe

Filesize
32KB

MD5
a22518e8a73ec19da806817d825d8a9c

SHA1
6f99e1591e1ce68ac44cd760729b2aeb2cba3559

SHA256
1ab5d2ea45fbff4444eabb45a3a31538730ce56f2b9c041bcab958e3c69db97b

SHA512
8f56ea79eab4b2e1d6b81981a9cd4f9652821b1cf17337ff3abf5796654fef08859fe4fa186015507b00ac606eefade1541235fcc6202ebf5257a1311638511e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rose.JPG

Filesize
16KB

MD5
ea0fb3401aba8e0ce1d0bd80f135b795

SHA1
9e2b99dd154a7d3d4a1cf5aae2c9daaa3cc82eb9

SHA256
0b41962817467535040931362074e5f9d6bf5184e36b98550e68412db8403bee

SHA512
31eb720c4cb3c741d0f277ecacf2aa747ac2091032fe76dee77c9f628b0399aa083f1da8d495bc334a7112a5a042ee04d29f17df12729fa079ac5625a4df8403

Download Submit
\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
116KB

MD5
80d6aec83f9473efc1d2d848c10431e7

SHA1
26dcd667795ab662107a006a8c0728bf6780f3e8

SHA256
34db341f5bff0fa45200203ad3692c9087a480e4ac9c13079a92bea3c6949fcd

SHA512
94f3ed80cab7defcfdc95fbfd62213e013768b2fce2f70f03a459037e24965e0072dc911a89952a696ae8ce1000a2e5ef9db231e92693a46b9dee63131f42e9b

Download Submit
memory/1932-30-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1932-31-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1932-37-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2744-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-16-0x0000000001BC0000-0x0000000001BDF000-memory.dmp

Filesize
124KB

Download
memory/2744-29-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/2744-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2892-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2892-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads