wlnlogon.exe

General
Target

wlnlogon.exe

Size

34KB

Sample

210329-7afah9gsfe

Score
10 /10
MD5

c626eb5448aafaeab9a3a207cca1f44c

SHA1

b2197768b2f44c97e45a82ae9bfbbbb2a89c7cfa

SHA256

4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593

SHA512

455c947fb9fe7dffc79a31e54d781b863bdb47acbf9ad7b4ab619177388a6bf7a01237cad945a88ee9e3121d74c01e74c851d3da89b4d3de5de4efb4389847e6

Malware Config
Targets
Target

wlnlogon.exe

MD5

c626eb5448aafaeab9a3a207cca1f44c

Filesize

34KB

Score
10 /10
SHA1

b2197768b2f44c97e45a82ae9bfbbbb2a89c7cfa

SHA256

4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593

SHA512

455c947fb9fe7dffc79a31e54d781b863bdb47acbf9ad7b4ab619177388a6bf7a01237cad945a88ee9e3121d74c01e74c851d3da89b4d3de5de4efb4389847e6

Tags

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line Interface File Deletion Inhibit System Recovery
  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Initial Access
        Lateral Movement
          Privilege Escalation
            Tasks

            static1

            10/10

            behavioral1

            9/10