Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 18:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe
-
Size
53KB
-
MD5
c81e06fc828b11d4d8950f7257a5d150
-
SHA1
37a4d7e5cf5d96e42242f8df96bc35557a08b9a0
-
SHA256
14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b
-
SHA512
dfb677d1b7c1671bfd65254ca804d48dc6370204281b73dbfe8745aa3506fdf6dc240f319a694b2bfff652057c3da83c5e583d3d3eb7aa2d4711d4590c13a75a
-
SSDEEP
1536:5l9nw/hT31GCSI6WB3IMeCn7EI50ru9nw/hT31G2:25T3BF6sYMF725T3x
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6297122.exe" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4297127.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" m4623.exe -
Adds policy Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" lsass.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4713c = "\"C:\\Windows\\_default29712.pif\"" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" csrss.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts csrss.exe -
Executes dropped EXE 7 IoCs
pid Process 2960 smss.exe 2296 winlogon.exe 2056 services.exe 2904 csrss.exe 1260 lsass.exe 2980 qm4623.exe 2260 m4623.exe -
Loads dropped DLL 14 IoCs
pid Process 2688 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe 2688 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe 2960 smss.exe 2960 smss.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4713c = "\"C:\\Windows\\j6297122.exe\"" csrss.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\S: lsass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 services.exe File opened for modification C:\Windows\SysWOW64\s4827 lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File created C:\Windows\SysWOW64\s4827\smss.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File created C:\Windows\SysWOW64\c_29712k.com 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll m4623.exe File created C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com services.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\SysWOW64\s4827 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe services.exe File created C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File created C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\m4623.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\brdom.bat lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\domlist.txt cmd.exe File created C:\Windows\SysWOW64\s4827\getdomlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File created C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\getdomlist.txt lsass.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll services.exe File created C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qm4623.exe File created C:\Windows\SysWOW64\s4827\c.bron.tok.txt lsass.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827 winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe services.exe File created C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com lsass.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_29712k.com qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827 m4623.exe -
Drops file in Windows directory 34 IoCs
description ioc Process File opened for modification C:\Windows\o4297127.exe m4623.exe File created C:\Windows\j6297122.exe qm4623.exe File opened for modification C:\Windows\j6297122.exe qm4623.exe File opened for modification C:\Windows\_default29712.pif m4623.exe File opened for modification C:\Windows\_default29712.pif winlogon.exe File opened for modification C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\j6297122.exe services.exe File created C:\Windows\o4297127.exe qm4623.exe File opened for modification C:\Windows\j6297122.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File created C:\Windows\o4297127.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\o4297127.exe winlogon.exe File opened for modification C:\Windows\j6297122.exe smss.exe File opened for modification C:\Windows\_default29712.pif csrss.exe File opened for modification C:\Windows\_default29712.pif smss.exe File created C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\o4297127.exe csrss.exe File opened for modification C:\Windows\o4297127.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\_default29712.pif 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File created C:\Windows\_default29712.pif 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File created C:\Windows\j6297122.exe 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe File opened for modification C:\Windows\j6297122.exe csrss.exe File created C:\Windows\_default29712.pif qm4623.exe File opened for modification C:\Windows\j6297122.exe lsass.exe File opened for modification C:\Windows\o4297127.exe lsass.exe File created C:\Windows\o4297127.exe lsass.exe File opened for modification C:\Windows\_default29712.pif lsass.exe File opened for modification C:\Windows\o4297127.exe smss.exe File opened for modification C:\Windows\j6297122.exe winlogon.exe File opened for modification C:\Windows\o4297127.exe services.exe File opened for modification C:\Windows\o4297127.exe qm4623.exe File opened for modification C:\Windows\_default29712.pif qm4623.exe File opened for modification C:\Windows\Ad10218 winlogon.exe File opened for modification C:\Windows\_default29712.pif services.exe File opened for modification C:\Windows\j6297122.exe m4623.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 2204 net.exe 2300 net.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe 2296 winlogon.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2960 2688 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe 32 PID 2688 wrote to memory of 2960 2688 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe 32 PID 2688 wrote to memory of 2960 2688 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe 32 PID 2688 wrote to memory of 2960 2688 14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe 32 PID 2960 wrote to memory of 2296 2960 smss.exe 34 PID 2960 wrote to memory of 2296 2960 smss.exe 34 PID 2960 wrote to memory of 2296 2960 smss.exe 34 PID 2960 wrote to memory of 2296 2960 smss.exe 34 PID 2296 wrote to memory of 2056 2296 winlogon.exe 36 PID 2296 wrote to memory of 2056 2296 winlogon.exe 36 PID 2296 wrote to memory of 2056 2296 winlogon.exe 36 PID 2296 wrote to memory of 2056 2296 winlogon.exe 36 PID 2296 wrote to memory of 2904 2296 winlogon.exe 38 PID 2296 wrote to memory of 2904 2296 winlogon.exe 38 PID 2296 wrote to memory of 2904 2296 winlogon.exe 38 PID 2296 wrote to memory of 2904 2296 winlogon.exe 38 PID 2296 wrote to memory of 1260 2296 winlogon.exe 40 PID 2296 wrote to memory of 1260 2296 winlogon.exe 40 PID 2296 wrote to memory of 1260 2296 winlogon.exe 40 PID 2296 wrote to memory of 1260 2296 winlogon.exe 40 PID 2296 wrote to memory of 2980 2296 winlogon.exe 42 PID 2296 wrote to memory of 2980 2296 winlogon.exe 42 PID 2296 wrote to memory of 2980 2296 winlogon.exe 42 PID 2296 wrote to memory of 2980 2296 winlogon.exe 42 PID 2296 wrote to memory of 2260 2296 winlogon.exe 44 PID 2296 wrote to memory of 2260 2296 winlogon.exe 44 PID 2296 wrote to memory of 2260 2296 winlogon.exe 44 PID 2296 wrote to memory of 2260 2296 winlogon.exe 44 PID 2296 wrote to memory of 2484 2296 winlogon.exe 46 PID 2296 wrote to memory of 2484 2296 winlogon.exe 46 PID 2296 wrote to memory of 2484 2296 winlogon.exe 46 PID 2296 wrote to memory of 2484 2296 winlogon.exe 46 PID 2296 wrote to memory of 2028 2296 winlogon.exe 48 PID 2296 wrote to memory of 2028 2296 winlogon.exe 48 PID 2296 wrote to memory of 2028 2296 winlogon.exe 48 PID 2296 wrote to memory of 2028 2296 winlogon.exe 48 PID 2296 wrote to memory of 2120 2296 winlogon.exe 50 PID 2296 wrote to memory of 2120 2296 winlogon.exe 50 PID 2296 wrote to memory of 2120 2296 winlogon.exe 50 PID 2296 wrote to memory of 2120 2296 winlogon.exe 50 PID 1260 wrote to memory of 1552 1260 lsass.exe 52 PID 1260 wrote to memory of 1552 1260 lsass.exe 52 PID 1260 wrote to memory of 1552 1260 lsass.exe 52 PID 1260 wrote to memory of 1552 1260 lsass.exe 52 PID 1552 wrote to memory of 2204 1552 cmd.exe 54 PID 1552 wrote to memory of 2204 1552 cmd.exe 54 PID 1552 wrote to memory of 2204 1552 cmd.exe 54 PID 1552 wrote to memory of 2204 1552 cmd.exe 54 PID 1260 wrote to memory of 2972 1260 lsass.exe 55 PID 1260 wrote to memory of 2972 1260 lsass.exe 55 PID 1260 wrote to memory of 2972 1260 lsass.exe 55 PID 1260 wrote to memory of 2972 1260 lsass.exe 55 PID 2972 wrote to memory of 2300 2972 cmd.exe 57 PID 2972 wrote to memory of 2300 2972 cmd.exe 57 PID 2972 wrote to memory of 2300 2972 cmd.exe 57 PID 2972 wrote to memory of 2300 2972 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe"C:\Users\Admin\AppData\Local\Temp\14c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2056
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2904
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\system32\s4827\brdom.bat" "5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\net.exenet view /domain:WORKGROUP6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2300
-
-
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2980
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2260
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y4⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5a96b7134e54291febde8fecc731e58bb
SHA1e4594567a15bb4d143022652abf806477770d631
SHA25633490e3fe6ffd1bbf346f576ef7fc5d7ca7ba25a3cb29d928366e2dfc777ba94
SHA512e54e4a5b982f66dc54f1564d6671c45d05ba456c077d354d3aa2735364813636ea39cae0d1e0fdad3a66ef87f4ffde107baf311a433d2e7ee0884bc80fec6e79
-
Filesize
53KB
MD5c81e06fc828b11d4d8950f7257a5d150
SHA137a4d7e5cf5d96e42242f8df96bc35557a08b9a0
SHA25614c871e6ccc8a30ea319bbc777e65bfd567601faada533478d5cdfb62466ae8b
SHA512dfb677d1b7c1671bfd65254ca804d48dc6370204281b73dbfe8745aa3506fdf6dc240f319a694b2bfff652057c3da83c5e583d3d3eb7aa2d4711d4590c13a75a
-
Filesize
73B
MD56fc63a266767a5de3cc18f2b7ac5a703
SHA1d23d7f8b213e9a311e37d058499502bd207c448e
SHA2563d08ce4422af041981e6e9b0c55bceeaac098940c5e37f459fa22eb472390812
SHA512ee6b97e09d1a1de916771143235e545cccfab6d22d2355d5c7994a0c9aafcfd640bf78cbd19570dace378e4c1b8b784278c41c80d45a62ac60c75e944110976c
-
Filesize
53KB
MD5e81d466363206a12b47434454bd5fee2
SHA1db5e2634948f4aa77d916e8a5e58f2f595abbb92
SHA25639ee8faec63be9e05c5ef8ca93b75ea3a69183c3395190b772b85a001192a4d2
SHA51229e08a206f3bec03141fb6ad2f5bc2c5c2ed796db07078723b7ed60d01cbaa3014510f996a35b7e1735876102b034cd614c07f377737e953e6a9ee116d996236
-
Filesize
53KB
MD5ce3e386f22f1dbbbd6d8da9d768fa4a7
SHA13585a2524e834b3f95c5c24b6acf345431377eec
SHA2567f6203f39ad69ed2c3849598080d1ff6a6d3f77f275d4c468b5f0398384a69dc
SHA51203b5eb940dac3ca6f33ed252e218eff8b4e7b7cb2d0eeb65eb0036d483c5fff2de4cd1f3b7d51968c07ad9dfa3c3be2eb5b411ebf25e687c3acb24a1e5a0bbd5
-
Filesize
53KB
MD581ef26f856c42e9551a6ed40f4652654
SHA181a50eb35cdef8c5696185aefe0a5a50fbad7bf7
SHA2566573aa16999b7399f7e470d8dbf37b97a3a919c1716604767ffa166593e7e7b9
SHA512ff697eaa388ec36801c598a49b4f68fb95beb03f84983b6e9c574fcbf50184ccba9a34c7cc1de633d073666b4a7b83d7d976129731372f70a9c01a3ead4dabbb