Overview
overview
10Static
static
10Wolfteam/Hack.exe
windows7_x64
10Wolfteam/Hack.exe
windows10_x64
10Wolfteam/S...RT.dll
windows7_x64
Wolfteam/S...RT.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
Wolfteam/a..._0.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
Wolfteam/a..._0.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
Wolfteam/a..._0.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
1Wolfteam/a..._0.dll
windows10_x64
1Wolfteam/python27.dll
windows7_x64
Wolfteam/python27.dll
windows10_x64
Analysis
-
max time kernel
70s -
max time network
70s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-03-2021 22:00
Behavioral task
behavioral1
Sample
Wolfteam/Hack.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Wolfteam/Hack.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Wolfteam/SpeedTreeRT.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
Wolfteam/SpeedTreeRT.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Wolfteam/api_ms_win_core_interlocked_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
Wolfteam/api_ms_win_core_interlocked_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Wolfteam/api_ms_win_core_synch_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
Wolfteam/api_ms_win_core_synch_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Wolfteam/api_ms_win_core_timezone_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Wolfteam/api_ms_win_core_timezone_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Wolfteam/api_ms_win_crt_locale_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
Wolfteam/api_ms_win_crt_locale_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Wolfteam/python27.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Wolfteam/python27.dll
Resource
win10v20201028
Errors
General
-
Target
Wolfteam/python27.dll
-
Size
2.4MB
-
MD5
da8b71b282bb2c3e0ac3e0465e592e5d
-
SHA1
f3eaa7956a42dd65dc008d5621263ae4155eb204
-
SHA256
6c771faf75ac68d28f83509fc113288035978122dc49de8936d9011e0a9b20ab
-
SHA512
aa5c9c305b7d01eed4ed90afde0e4964071279ba64d0c5fa5743c70ecc039a841e437c6f850b5fdd770e61907aa55a98643545b1615829d4e420aac3eb133663
Malware Config
Signatures
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1868 1420 WerFault.exe rundll32.exe 3980 1420 WerFault.exe rundll32.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1868 WerFault.exe Token: SeBackupPrivilege 1868 WerFault.exe Token: SeDebugPrivilege 1868 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 2072 LogonUI.exe 2072 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1144 wrote to memory of 1420 1144 rundll32.exe rundll32.exe PID 1144 wrote to memory of 1420 1144 rundll32.exe rundll32.exe PID 1144 wrote to memory of 1420 1144 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Wolfteam\python27.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Wolfteam\python27.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 6283⤵
- Program crash
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad4055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx