General
-
Target
winlogon.exe
-
Size
5.3MB
-
Sample
210422-pfsbgevnzn
-
MD5
2f28d85d5893201875c2b9116ce0e159
-
SHA1
1b1673e295cf3ca34efde7e0e3ce8ae331dbf166
-
SHA256
eec0954dcf773f42f0dad7b7ba895b59c201d2fa7d659c8fb4263a12ce32ec05
-
SHA512
fdd97316559707a62e6793711fbd078e6138565fd36457ee07e9f9eb2bc17038235759ba297fe0880e2d6c05f8a616d880c9155ac3a57117322a5ab1a29917fc
Static task
static1
Behavioral task
behavioral1
Sample
winlogon.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
winlogon.exe
Resource
win10v20210410
Malware Config
Targets
-
-
Target
winlogon.exe
-
Size
5.3MB
-
MD5
2f28d85d5893201875c2b9116ce0e159
-
SHA1
1b1673e295cf3ca34efde7e0e3ce8ae331dbf166
-
SHA256
eec0954dcf773f42f0dad7b7ba895b59c201d2fa7d659c8fb4263a12ce32ec05
-
SHA512
fdd97316559707a62e6793711fbd078e6138565fd36457ee07e9f9eb2bc17038235759ba297fe0880e2d6c05f8a616d880c9155ac3a57117322a5ab1a29917fc
Score10/10-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-