5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe
Size

78KB
MD5

f164bfb9c0f82557d0089e286a080a37
SHA1

0796c880db7aba5292ad9d9b5ef84a22ed95d37e
SHA256

5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268
SHA512

360ce91c8f06eeed73cf429b5a65c3ca95ddaafa07da2b9eca36c7b46674d469974be24428700a92b5efa1dbc2c35570daa1582a92c9824e64b654511f589478
SSDEEP

1536:abSshapMJgKJUuxGmfJPtOgqm1s/XZSWcHoov:K25KJFjfJPtOgqm2/XZXcv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	winlgon.exe

Loads dropped DLL 9 IoCs

pid	Process
2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe
2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2608	2016	WerFault.exe	28
2732	2156	WerFault.exe	27

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe
2016	winlgon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2016	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	28
PID 2156 wrote to memory of 2016	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	28
PID 2156 wrote to memory of 2016	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	28
PID 2156 wrote to memory of 2016	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	28
PID 2016 wrote to memory of 2608	2016	winlgon.exe	29
PID 2016 wrote to memory of 2608	2016	winlgon.exe	29
PID 2016 wrote to memory of 2608	2016	winlgon.exe	29
PID 2016 wrote to memory of 2608	2016	winlgon.exe	29
PID 2156 wrote to memory of 2732	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	30
PID 2156 wrote to memory of 2732	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	30
PID 2156 wrote to memory of 2732	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	30
PID 2156 wrote to memory of 2732	2156	5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe	30

C:\Users\Admin\AppData\Local\Temp\5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe
"C:\Users\Admin\AppData\Local\Temp\5767793f0dfb6f5d82b54adde313de3d84cdf4b9a4d3e7c6595095a5147e6268.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 204
  2⤵
  - Program crash
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
78KB

MD5
ab2b350623240c1ebdb7d9d5ec29ff5a

SHA1
24e38350f6062dd9e6e81b6d8708a2fb119722fa

SHA256
57af2624509e8e40dc735278dfe7e812f403ff13bdf480ec023d4472475596fb

SHA512
305e6bb4db0670b5c963b70237c37ce8ffffbb29d1204aa2a5b15e44ca543d434a9b94341e13026dd07592f2508f17d84adcf7c699b890ea2a00632babd7d673

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads