8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
Size

118KB
MD5

e66005342b8f7348a7c905362d619000
SHA1

20a4782ac3165ef05cfe15fed3211281cd2e5036
SHA256

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f
SHA512

9f6a18d8d378c7ea1c39f227cc35c6d0df46f21704aaacfb71e613f24787568be969d17f778f4bcce71ccbd649354fe04cc9546b87b7f550c1a8a00ffbe0697f
SSDEEP

3072:qJO248B0EMlISxbHPwYV/wlmNie0ROfOl1:qTLSzISxMYV/9i15

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

winlgon.exergsvr32.exe

pid process

1144 winlgon.exe
3948 rgsvr32.exe

pid	process
1144	winlgon.exe
3948	rgsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1216 4796 WerFault.exe 8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

pid	pid_target	process	target process
1216	4796	WerFault.exe	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exewinlgon.exergsvr32.exe

pid	process
4796	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
1144	winlgon.exe
1144	winlgon.exe
1144	winlgon.exe
1144	winlgon.exe
1144	winlgon.exe
1144	winlgon.exe
3948	rgsvr32.exe
3948	rgsvr32.exe
3948	rgsvr32.exe
3948	rgsvr32.exe
1144	winlgon.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exewinlgon.exe

description	pid	process	target process
PID 4796 wrote to memory of 1144	4796	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 4796 wrote to memory of 1144	4796	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 4796 wrote to memory of 1144	4796	8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe	winlgon.exe
PID 1144 wrote to memory of 3948	1144	winlgon.exe	rgsvr32.exe
PID 1144 wrote to memory of 3948	1144	winlgon.exe	rgsvr32.exe
PID 1144 wrote to memory of 3948	1144	winlgon.exe	rgsvr32.exe

C:\Users\Admin\AppData\Local\Temp\8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe
"C:\Users\Admin\AppData\Local\Temp\8eee2433c996e890c70912a68d3f46cd054c485880b6a06aed974fef527efc3f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796

\??\c:\users\admin\appdata\local\temp\winlgon.exe
c:\users\admin\appdata\local\temp\winlgon.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 600
2⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4796 -ip 4796
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe

Filesize
32KB

MD5
a22518e8a73ec19da806817d825d8a9c

SHA1
6f99e1591e1ce68ac44cd760729b2aeb2cba3559

SHA256
1ab5d2ea45fbff4444eabb45a3a31538730ce56f2b9c041bcab958e3c69db97b

SHA512
8f56ea79eab4b2e1d6b81981a9cd4f9652821b1cf17337ff3abf5796654fef08859fe4fa186015507b00ac606eefade1541235fcc6202ebf5257a1311638511e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
118KB

MD5
0e0640ee8fcd380b91b0e09714fada08

SHA1
a7bb2f37139c0099b8f9f9e6919cfb1b5c936b07

SHA256
c35da1a13b365360a461b3527082425fe09976f851864cf147e7d5407184879f

SHA512
fa90481660eaf69a78955dcb8ca39ae6edf3f109297991aa8c8657d0525b655503901280761114468c0f63b29dc5d91bf98aecb63ac51463a20e716242d5de1b

Download Submit
memory/1144-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1144-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download