d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Size

2.9MB
MD5

3e8401bb83517566ebbb4c00a0b6ff38
SHA1

20ced727e415faaaba1d9c7608ca8caed18a70f5
SHA256

d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b
SHA512

38ce808876394382e9cb4388db1ae564bffe3ff3456afe91beb4e5481ac193341f9edc1522fe00a15d2459b33f1e9e02db27f188d431e96481721da990670283
SSDEEP

24576:a2Fu/HGcDdQwWH+7aU2E0lFgG9XqcSUXI+SwBeSwtPpoc+yu0cjZxY6jRt5oHkv4:Vu/dUpCw4SIjcP0idTfTXE5JJ7g97C

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\wininit.exe"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\wininit.exe"	wininit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wininit.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2088	wininit.exe
2096	spoolsv.exe
676	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	wininit.exe
2096	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wininit = "c:\\windows\\wininit.exe"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\windows\\svchost.exe"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Wininit	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
File created	\??\c:\windows\wininit.exe	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
File opened for modification	\??\c:\windows\wininit.exe	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
File opened for modification	\??\c:\windows\wininit.exe	wininit.exe
File created	\??\c:\windows\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1232	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
2096	spoolsv.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe
2088	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	wininit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2088	1232	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe	30
PID 1232 wrote to memory of 2088	1232	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe	30
PID 1232 wrote to memory of 2088	1232	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe	30
PID 1232 wrote to memory of 2088	1232	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe	30
PID 2088 wrote to memory of 2096	2088	wininit.exe	31
PID 2088 wrote to memory of 2096	2088	wininit.exe	31
PID 2088 wrote to memory of 2096	2088	wininit.exe	31
PID 2088 wrote to memory of 2096	2088	wininit.exe	31
PID 2096 wrote to memory of 676	2096	spoolsv.exe	32
PID 2096 wrote to memory of 676	2096	spoolsv.exe	32
PID 2096 wrote to memory of 676	2096	spoolsv.exe	32
PID 2096 wrote to memory of 676	2096	spoolsv.exe	32

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe
"C:\Users\Admin\AppData\Local\Temp\d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1232
- C:\windows\wininit.exe
  "C:\windows\wininit.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2088
- - C:\Users\Admin\appdata\roaming\spoolsv.exe
    "C:\Users\Admin\appdata\roaming\spoolsv.exe" /SE
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2096
  - - C:\windows\svchost.exe
      "C:\windows\svchost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\wininit.exe

Filesize
2.9MB

MD5
3e8401bb83517566ebbb4c00a0b6ff38

SHA1
20ced727e415faaaba1d9c7608ca8caed18a70f5

SHA256
d23d6d9a28cccf41f5f745a6042311e545af89d2cfab26d62b732f79772a3a0b

SHA512
38ce808876394382e9cb4388db1ae564bffe3ff3456afe91beb4e5481ac193341f9edc1522fe00a15d2459b33f1e9e02db27f188d431e96481721da990670283

Download Submit
memory/676-29-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/1232-8-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/1232-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2088-43-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-28-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-30-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-32-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2088-33-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-37-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-39-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2088-45-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-47-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-51-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2088-53-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2096-26-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download