Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 10:54
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payload.exe
Resource
win10v2004-20241007-en
General
-
Target
Payload.exe
-
Size
27KB
-
MD5
6363fdf6807cbef35f331eee2acd8c95
-
SHA1
a3c39ca66596d25bb6b49c691348b29f6c7cf582
-
SHA256
091389e24f8de1ef56cda84cc7f8598767bedf9c4b1dfb73736713b887c259c9
-
SHA512
b1a56829768578ec64e0ddaa7bd7023075ec8559c1fee57d3103222e0aea42137fce5f8ac4396701c33349af3db39e2d61d8baf00d3baf932681e085e5231f41
-
SSDEEP
384:gLZeZoTmgEJLbwvqWDbPxZh7M9AQk93vmhm7UMKmIEecKdbXTzm9bVhca16fr6eR:+ENvwy9A/vMHTi9bD
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 tmp7A4E.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1644 Payload.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: tmp7A4E.tmp.exe File opened (read-only) \??\D: Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7A4E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language csrss.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: 33 1644 Payload.exe Token: SeIncBasePriorityPrivilege 1644 Payload.exe Token: SeShutdownPrivilege 1616 LogonUI.exe Token: SeShutdownPrivilege 1616 LogonUI.exe Token: SeSecurityPrivilege 1596 winlogon.exe Token: SeBackupPrivilege 1596 winlogon.exe Token: SeSecurityPrivilege 1596 winlogon.exe Token: SeTcbPrivilege 1596 winlogon.exe Token: SeShutdownPrivilege 1616 LogonUI.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1644 Payload.exe 1644 Payload.exe 1644 Payload.exe 1644 Payload.exe 1644 Payload.exe 1644 Payload.exe 1644 Payload.exe 1644 Payload.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2732 1644 Payload.exe 32 PID 1644 wrote to memory of 2732 1644 Payload.exe 32 PID 1644 wrote to memory of 2732 1644 Payload.exe 32 PID 1644 wrote to memory of 2732 1644 Payload.exe 32 PID 1644 wrote to memory of 2248 1644 Payload.exe 33 PID 1644 wrote to memory of 2248 1644 Payload.exe 33 PID 1644 wrote to memory of 2248 1644 Payload.exe 33 PID 1644 wrote to memory of 2248 1644 Payload.exe 33 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1596 wrote to memory of 1616 1596 winlogon.exe 39 PID 1596 wrote to memory of 1616 1596 winlogon.exe 39 PID 1596 wrote to memory of 1616 1596 winlogon.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39 PID 1360 wrote to memory of 1616 1360 csrss.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\tmp7A4E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7A4E.tmp.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\Shutdown.exeShutdown -l2⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2952
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1360
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD50a1d11ae40c22ce547fc2dd8f4a0d7bd
SHA1ed60c2818a6f3c18d0e52d5696b68955653197ad
SHA256bcf0dc9325436d2ffd3d19c1ba67ab28769451fea4725603171f6e02efd2337e
SHA5127f94c26fbaf85f1eb88eda2005c73d94d56cf1c1fdfb69fa86b7550d5098a403acb9d52c5ff128302c2733419b30c93fe3c90dad7651a982e779c4e682b4eb05