60c73b767a7c748be246b9c8edf19922e361f961fde414cdaa20f05933ef983e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client1.exe
Size

75KB
MD5

aaa9a1048accb362dff125208ceee259
SHA1

c155cd8763879f4bd22345275d3f4e804683293d
SHA256

60c73b767a7c748be246b9c8edf19922e361f961fde414cdaa20f05933ef983e
SHA512

294ed8482f7f8f670c635f25c299e567357a60f64c7daebcafc2b19c157cffc43d6f448747c5fae8c0865c55916d2f85d4ab3ec7d82a79bd2b99425f754260a1
SSDEEP

1536:e0nZz1Ir/ZLtez0RtrnXw6cIASbtLEmfcHQ5pqKmY7:e0AeQnXrASbtQqDiz

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\System32\\Wincall.exe"	Client1.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	Wincall.exe
2584	Wincall.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Wincall.exe	Client1.exe
File opened for modification	C:\Windows\System32\Wincall.exe	Client1.exe
File opened for modification	C:\Windows\System32\Wincall.exe	Wincall.exe
File opened for modification	C:\Windows\System32\Wincall.exe	Wincall.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32	Client1.exe
File opened for modification	C:\Windows\System32	Wincall.exe
File opened for modification	C:\Windows\System32	Wincall.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1296	schtasks.exe
2876	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe
2580	Client1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	Client1.exe
Token: SeDebugPrivilege	2580	Client1.exe
Token: SeDebugPrivilege	2564	Wincall.exe
Token: SeDebugPrivilege	2564	Wincall.exe
Token: SeDebugPrivilege	2584	Wincall.exe
Token: SeDebugPrivilege	2584	Wincall.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2580	Client1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2168	2580	Client1.exe	31
PID 2580 wrote to memory of 2168	2580	Client1.exe	31
PID 2580 wrote to memory of 2168	2580	Client1.exe	31
PID 2168 wrote to memory of 1296	2168	cmd.exe	33
PID 2168 wrote to memory of 1296	2168	cmd.exe	33
PID 2168 wrote to memory of 1296	2168	cmd.exe	33
PID 2580 wrote to memory of 2756	2580	Client1.exe	34
PID 2580 wrote to memory of 2756	2580	Client1.exe	34
PID 2580 wrote to memory of 2756	2580	Client1.exe	34
PID 2756 wrote to memory of 2876	2756	cmd.exe	36
PID 2756 wrote to memory of 2876	2756	cmd.exe	36
PID 2756 wrote to memory of 2876	2756	cmd.exe	36
PID 2580 wrote to memory of 2172	2580	Client1.exe	37
PID 2580 wrote to memory of 2172	2580	Client1.exe	37
PID 2580 wrote to memory of 2172	2580	Client1.exe	37
PID 2172 wrote to memory of 2356	2172	cmd.exe	39
PID 2172 wrote to memory of 2356	2172	cmd.exe	39
PID 2172 wrote to memory of 2356	2172	cmd.exe	39
PID 3040 wrote to memory of 2564	3040	taskeng.exe	41
PID 3040 wrote to memory of 2564	3040	taskeng.exe	41
PID 3040 wrote to memory of 2564	3040	taskeng.exe	41
PID 3040 wrote to memory of 2584	3040	taskeng.exe	43
PID 3040 wrote to memory of 2584	3040	taskeng.exe	43
PID 3040 wrote to memory of 2584	3040	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client1.exe
"C:\Users\Admin\AppData\Local\Temp\Client1.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "MicrosoftEdgeUpdateMachineCore" /tr '"C:\Windows\System32\Wincall.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "MicrosoftEdgeUpdateMachineCore" /tr '"C:\Windows\System32\Wincall.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1296
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Discord update" /tr "C:\Windows\System32\Wincall.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc minute /mo 1 /tn "Discord update" /tr "C:\Windows\System32\Wincall.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2876
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /f /sc minute /mo 3 /tn "Google common update" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc minute /mo 3 /tn "Google common update" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2356

C:\Windows\system32\taskeng.exe
taskeng.exe {1BD09EBB-FB09-43A5-9616-7BC372AEA70E} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\System32\Wincall.exe
  C:\Windows\System32\Wincall.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\Wincall.exe
  C:\Windows\System32\Wincall.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Intel\Games\Common\Commonuodate.exe

Filesize
75KB

MD5
aaa9a1048accb362dff125208ceee259

SHA1
c155cd8763879f4bd22345275d3f4e804683293d

SHA256
60c73b767a7c748be246b9c8edf19922e361f961fde414cdaa20f05933ef983e

SHA512
294ed8482f7f8f670c635f25c299e567357a60f64c7daebcafc2b19c157cffc43d6f448747c5fae8c0865c55916d2f85d4ab3ec7d82a79bd2b99425f754260a1

Download Submit
memory/2564-179-0x00000000011F0000-0x0000000001208000-memory.dmp

Filesize
96KB

Download
memory/2580-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/2580-5-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-33-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/2580-34-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-36-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-208-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-225-0x0000000001360000-0x0000000001378000-memory.dmp

Filesize
96KB

Download