02416b68bb0916b4bbd533b1bc62334b45aa243c5acba8784f344698b9cb3f93

General

Target

567317156aebcf98a95feaec1e8d51a0N.exe
Size

44KB
MD5

567317156aebcf98a95feaec1e8d51a0
SHA1

f8c750c1d4c1e8507d58c79ea48da798edb2889d
SHA256

02416b68bb0916b4bbd533b1bc62334b45aa243c5acba8784f344698b9cb3f93
SHA512

823bf6e06d80249cac1cf687138b1cf793e41f462a4227a264b7192e9505805d61d5ec5212876ec3070ae6d5fae5f1ba56ee8b288cb1b6c317ead0d025094051
SSDEEP

768:mTAm5hiTllzeF/AJOTmbWa8RYdiU3/7Shy5nv9/B39lQrGJ6JI:mLIcNTcWATPuhI9lABI

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows/system32/SVCH0ST.EXE"	567317156aebcf98a95feaec1e8d51a0N.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	567317156aebcf98a95feaec1e8d51a0N.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Agent = "C:\\Windows\\System32\\SVCH0ST.EXE"	567317156aebcf98a95feaec1e8d51a0N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SVCH0ST.EXE	567317156aebcf98a95feaec1e8d51a0N.exe
File opened for modification	C:\Windows\SysWOW64\SVCH0ST.EXE	567317156aebcf98a95feaec1e8d51a0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wincirl.com	567317156aebcf98a95feaec1e8d51a0N.exe
File opened for modification	C:\Windows\system\wincirl.com	567317156aebcf98a95feaec1e8d51a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	567317156aebcf98a95feaec1e8d51a0N.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1956	567317156aebcf98a95feaec1e8d51a0N.exe
1956	567317156aebcf98a95feaec1e8d51a0N.exe
1956	567317156aebcf98a95feaec1e8d51a0N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	567317156aebcf98a95feaec1e8d51a0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1956	567317156aebcf98a95feaec1e8d51a0N.exe
1956	567317156aebcf98a95feaec1e8d51a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 496	1956	567317156aebcf98a95feaec1e8d51a0N.exe	30
PID 1956 wrote to memory of 496	1956	567317156aebcf98a95feaec1e8d51a0N.exe	30
PID 1956 wrote to memory of 496	1956	567317156aebcf98a95feaec1e8d51a0N.exe	30
PID 1956 wrote to memory of 496	1956	567317156aebcf98a95feaec1e8d51a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\567317156aebcf98a95feaec1e8d51a0N.exe
"C:\Users\Admin\AppData\Local\Temp\567317156aebcf98a95feaec1e8d51a0N.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe
  2⤵
  PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Shortcut Manager.pif

Filesize
40KB

MD5
c46fb8f20aa2b853d473e85e6f8152d0

SHA1
6cce1f19c638cc22354167d4115c87d7da28308f

SHA256
225a3c7bc1147aa0aa9c242c9ff90861e8ac6e19abf0c072cad12104795e0d5f

SHA512
bc2daa719aeb3eb88936a2859dfb90e49c54eb14a45db6bfa606c6c401a676d5e51f6f6b57ab81cd56880ef6e063ecc4b61223058f98508c1173f62f15cd45be

Download Submit
memory/1956-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1956-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads