Overview

overview

10

Static

static

10

wlnlogon.exe

windows7_x64

9

wlnlogon.exe

windows10_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    29-03-2021 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wlnlogon.exe

  • Size

    34KB

  • MD5

    c626eb5448aafaeab9a3a207cca1f44c

  • SHA1

    b2197768b2f44c97e45a82ae9bfbbbb2a89c7cfa

  • SHA256

    4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593

  • SHA512

    455c947fb9fe7dffc79a31e54d781b863bdb47acbf9ad7b4ab619177388a6bf7a01237cad945a88ee9e3121d74c01e74c851d3da89b4d3de5de4efb4389847e6

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe
    "C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe
      "C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe" n644
      2⤵
        PID:1804
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1224
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:588
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1440
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1836
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1368
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:284
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          1⤵
            PID:608
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x224
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:780
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\build note.txt
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:1088

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Command-Line Interface

          1
          T1059

          Persistence

          Privilege Escalation

          Defense Evasion

          File Deletion

          3
          T1107

          Install Root Certificate

          1
          T1130

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Inhibit System Recovery

          3
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\build note.txt
            MD5

            1dc152e66947d7a81697a24f02407a9e

            SHA1

            4d95efc3d9403c6843bfce333a08a0451caec07c

            SHA256

            948e0a2ad1fabf16e73ffa6525a5b5bbaf0a6630a3f3d1d20b7f474fd3b803c9

            SHA512

            452adac16abb4e1f8292f0b2de0d8fe46f6d0c487f3c78466706b3e6781806df59acd4219ef96656d4dfe24102472befab1971db07244f89d186d314eb170f9b

            Download Submit
          • memory/288-9-0x000007FEF6350000-0x000007FEF65CA000-memory.dmp
            Filesize

            2.5MB

            Download
          • memory/588-6-0x0000000000000000-mapping.dmp
            Download
          • memory/588-7-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/644-2-0x00000000765E1000-0x00000000765E3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1224-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1712-8-0x0000000000000000-mapping.dmp
            Download
          • memory/1720-4-0x0000000000000000-mapping.dmp
            Download