d9460bef7ee53ef08cdfd8a45e01b7913a07fee7c2ae9d87d46d2fb4b914f02f

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a76f9c9e44d3d5a3f1e283dc334a320N.exe
Size

725KB
MD5

0a76f9c9e44d3d5a3f1e283dc334a320
SHA1

ae6dc0562f66434a6db8fd936b51c36531c7378e
SHA256

d9460bef7ee53ef08cdfd8a45e01b7913a07fee7c2ae9d87d46d2fb4b914f02f
SHA512

b84da827ae0d75665406d7e4a625d567fb1813b891b6225737787b03c02885d0886d11724ee2d032170a34b92deba94ba62401ad9836fed728326041f2499dd5
SSDEEP

12288:lM+wSnCwWLMkskJtA8Ilr3xRZjkSCwWLMVLXwKKoqbsrw2/wX:lN05LRskvIlB1C5LqwKKoozX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	0a76f9c9e44d3d5a3f1e283dc334a320N.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a76f9c9e44d3d5a3f1e283dc334a320N.exe"	0a76f9c9e44d3d5a3f1e283dc334a320N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntos.exe	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
File created	C:\Windows\SysWOW64\ntos.exe	0a76f9c9e44d3d5a3f1e283dc334a320N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe
232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5
PID 232 wrote to memory of 612	232	0a76f9c9e44d3d5a3f1e283dc334a320N.exe	5

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\0a76f9c9e44d3d5a3f1e283dc334a320N.exe
"C:\Users\Admin\AppData\Local\Temp\0a76f9c9e44d3d5a3f1e283dc334a320N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-4-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-39-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-37-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-35-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-33-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-29-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-27-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-25-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-24-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-21-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-41-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-19-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-17-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-15-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-11-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-9-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-7-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-5-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-31-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download
memory/612-13-0x0000000014D00000-0x0000000014D13000-memory.dmp

Filesize
76KB

Download