makop | 4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593 | Triage

Submit
Reports

Overview

overview

Static

static

wlnlogon.exe

windows7_x64

9

wlnlogon.exe

windows10_x64

Sharing

General

Target

wlnlogon.exe
Size

34KB
Sample

210329-7afah9gsfe
MD5

c626eb5448aafaeab9a3a207cca1f44c
SHA1

b2197768b2f44c97e45a82ae9bfbbbb2a89c7cfa
SHA256

4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593
SHA512

455c947fb9fe7dffc79a31e54d781b863bdb47acbf9ad7b4ab619177388a6bf7a01237cad945a88ee9e3121d74c01e74c851d3da89b4d3de5de4efb4389847e6

Score

10^/10

makop persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

wlnlogon.exe

Resource

win7v20201028

ransomware spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

wlnlogon.exe

Resource

win10v20201028

persistence ransomware spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  wlnlogon.exe
- Size
  
  34KB
- MD5
  
  c626eb5448aafaeab9a3a207cca1f44c
- SHA1
  
  b2197768b2f44c97e45a82ae9bfbbbb2a89c7cfa
- SHA256
  
  4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593
- SHA512
  
  455c947fb9fe7dffc79a31e54d781b863bdb47acbf9ad7b4ab619177388a6bf7a01237cad945a88ee9e3121d74c01e74c851d3da89b4d3de5de4efb4389847e6
Score

10^/10

ransomware spyware stealer persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ransomwarespywarestealer

behavioral2

persistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy