151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639

General

Target

151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe
Size

346KB
MD5

fb9c21a9cc24889784f8f943dd558f70
SHA1

836f910db289475f0e1404bad3461c6bc1e3c3b7
SHA256

151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639
SHA512

ac2dbb3ef927d8ba6e13102c9c193156cd3e19b53d797ef009eb0ccdad74313cd76e0f4ece13096cc4d075962e1bdc6db4a1b90c10d4d09c520c1e018a2ef8e1
SSDEEP

6144:+CjwZuxYoa6PTe6VlWT8b9MM2MNuTDbNSRuW:EZuXPTPVle8KM2TlSR

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\xdwdMicrosoft SharePoint.exe"	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 2 IoCs

Processes:

pid	Process
4188
112

Drops file in Windows directory 1 IoCs

Processes:

151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe

description	ioc	Process
File created	C:\Windows\xdwd.dll	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
1992	schtasks.exe
3764	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe

description	pid	Process
Token: SeDebugPrivilege	3116	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exeCMD.exeCMD.exe

description	pid	Process	procid_target
PID 3116 wrote to memory of 592	3116	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe	96
PID 3116 wrote to memory of 592	3116	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe	96
PID 592 wrote to memory of 1992	592	CMD.exe	98
PID 592 wrote to memory of 1992	592	CMD.exe	98
PID 3116 wrote to memory of 2008	3116	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe	99
PID 3116 wrote to memory of 2008	3116	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe	99
PID 2008 wrote to memory of 3764	2008	CMD.exe	101
PID 2008 wrote to memory of 3764	2008	CMD.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe
"C:\Users\Admin\AppData\Local\Temp\151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\Admin\Videos\xdwdMicrosoft SharePoint.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\Admin\Videos\xdwdMicrosoft SharePoint.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1992
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk Revit Upgrade" /tr "C:\Users\Admin\AppData\Local\xdwdMicrosoft Hyper-V.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk Revit Upgrade" /tr "C:\Users\Admin\AppData\Local\xdwdMicrosoft Hyper-V.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/3116-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/3116-1-0x00000000001E0000-0x000000000023C000-memory.dmp

Filesize
368KB

Download
memory/3116-2-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/3116-35-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3116-114-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads