8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f

General

Target

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
Size

118KB
MD5

e66005342b8f7348a7c905362d619000
SHA1

20a4782ac3165ef05cfe15fed3211281cd2e5036
SHA256

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f
SHA512

9f6a18d8d378c7ea1c39f227cc35c6d0df46f21704aaacfb71e613f24787568be969d17f778f4bcce71ccbd649354fe04cc9546b87b7f550c1a8a00ffbe0697f
SSDEEP

3072:qJO248B0EMlISxbHPwYV/wlmNie0ROfOl1:qTLSzISxMYV/9i15

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

winlgon.exergsvr32.exe

pid process

2516 winlgon.exe
2652 rgsvr32.exe

pid	process
2516	winlgon.exe
2652	rgsvr32.exe

Loads dropped DLL 4 IoCs

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exewinlgon.exe

pid	process
2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
2516	winlgon.exe
2516	winlgon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2616 2352 WerFault.exe 8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

pid	pid_target	process	target process
2616	2352	WerFault.exe	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exewinlgon.exergsvr32.exe

pid	process
2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
2516	winlgon.exe
2516	winlgon.exe
2516	winlgon.exe
2516	winlgon.exe
2516	winlgon.exe
2516	winlgon.exe
2652	rgsvr32.exe
2652	rgsvr32.exe
2652	rgsvr32.exe
2652	rgsvr32.exe
2516	winlgon.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exewinlgon.exe

description	pid	process	target process
PID 2352 wrote to memory of 2516	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 2352 wrote to memory of 2516	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 2352 wrote to memory of 2516	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 2352 wrote to memory of 2516	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 2516 wrote to memory of 2652	2516	winlgon.exe	rgsvr32.exe
PID 2516 wrote to memory of 2652	2516	winlgon.exe	rgsvr32.exe
PID 2516 wrote to memory of 2652	2516	winlgon.exe	rgsvr32.exe
PID 2516 wrote to memory of 2652	2516	winlgon.exe	rgsvr32.exe
PID 2352 wrote to memory of 2616	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	WerFault.exe
PID 2352 wrote to memory of 2616	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	WerFault.exe
PID 2352 wrote to memory of 2616	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	WerFault.exe
PID 2352 wrote to memory of 2616	2352	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
"C:\Users\Admin\AppData\Local\Temp\8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352

\??\c:\users\admin\appdata\local\temp\winlgon.exe
c:\users\admin\appdata\local\temp\winlgon.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 200
2⤵
- Program crash
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
118KB

MD5
16f92b8d6b1f504836273b8e51e30d2a

SHA1
6bce9ed53feab884c84910bfef911d02a6e1bfcc

SHA256
ee4d7e229206e8e5870ff81169a12a8d9204d49f51200afd9af991f3edbbf2d0

SHA512
e89eca889014f3b097311f62895b717f4e6d24793ceac59df451eba10e0abd18bf3975942290553b9907cbc685e10fd371fdafb0e0be14c9684aa79423247630

Download Submit
\Users\Admin\AppData\Local\Temp\rgsvr32.exe

Filesize
32KB

MD5
a22518e8a73ec19da806817d825d8a9c

SHA1
6f99e1591e1ce68ac44cd760729b2aeb2cba3559

SHA256
1ab5d2ea45fbff4444eabb45a3a31538730ce56f2b9c041bcab958e3c69db97b

SHA512
8f56ea79eab4b2e1d6b81981a9cd4f9652821b1cf17337ff3abf5796654fef08859fe4fa186015507b00ac606eefade1541235fcc6202ebf5257a1311638511e

Download Submit
memory/2352-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2352-16-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2352-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2352-30-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2516-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads