d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe
Size

75KB
MD5

96b9c75b5ba24150df6c999c9870fddf
SHA1

80b0c4f478667c9f75618c0adcc0615106359ce4
SHA256

d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2
SHA512

59b8c28d4a84315a6c90ecc2e9363c296a380ddd7fc03471010c1ce08eacedf152cb54375c7c3bf4d4b4fe27ba98ce277e79d07944d46e7aa0378941e58c05bb
SSDEEP

1536:kP6RJLbSshapMJgK+hxaZUux1imfJPtOrqm1s/XZydS:06RJz25KnZFvVfJPtOrqm2/XZuS

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2552	winlgon.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe
2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2600	WerFault.exe	27

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe
2552	winlgon.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2552	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	28
PID 2600 wrote to memory of 2552	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	28
PID 2600 wrote to memory of 2552	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	28
PID 2600 wrote to memory of 2552	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	28
PID 2600 wrote to memory of 2620	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	29
PID 2600 wrote to memory of 2620	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	29
PID 2600 wrote to memory of 2620	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	29
PID 2600 wrote to memory of 2620	2600	d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe	29

C:\Users\Admin\AppData\Local\Temp\d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe
"C:\Users\Admin\AppData\Local\Temp\d24c6caf8f1487c75ffe5cace014f15f122b4d737584fbf8b8e25b2c0b88dab2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 204
  2⤵
  - Program crash
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
75KB

MD5
a265e6f673fe48326e7b18cf0749c1c4

SHA1
c0966c8eca468d03d544e41266b606282c6de1da

SHA256
0dfecde5227771b5f84872a552266f26b6e35acc7fe6c2643449bf9f29b088a1

SHA512
634bce5defadb513b5a9241b60bf6d63aaa436fb9b05310050b80f983b8d936f20dab6090fee88da8697d631e10f675dbf60b07b18587d4af9c5c6ce3cdc1144

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads