a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5

General

Target

a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Size

139KB
MD5

3610a5bda1252fe9c903ee7f7ee22186
SHA1

74a0f46196105eb83d18e2114feaddf92bc6db3b
SHA256

a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5
SHA512

5d0d2207b5cfadc7e7015f433902e18f996814d8e7d4e897c484d30364ca65d448e2da7ec1a1d2915a0fc8cb79da2f31948c5e19a682f50cecbd95f81ee1ed28
SSDEEP

3072:77gWthcA+lmZUvX2O95Rs3Tdliod1/4MBb2YYiZqTkBqP9l:7MKuAtZUvX20i3Tdl7n/4MF2YLcT8qPv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4632	win1ogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\run	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\win1ogon = "C:\\Windows\\system32\\win1ogon.exe"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe

Modifies WinLogon 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Asynchronous = "0"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Lock = "WLEvtLock"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Logoff = "WLEvtLogoff"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Startup = "WLEvtStartup"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\StopScreenSaver = "WLEvtStopScreenSaver"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\StartScreenSaver = "WLEvtStartScreenSaver"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Unlock = "WLEvtUnlock"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\DllName = "win1ogon.dll"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Impersonate = "0"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Logon = "WLEvtLogon"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win1ogon\Shutdown = "WLEvtShutdown"	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\win1ogon.exe	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
File opened for modification	C:\Windows\SysWOW64\win1ogon.exe	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
File created	C:\Windows\SysWOW64\win1ogon.dll	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
File opened for modification	C:\Windows\SysWOW64\win1ogon.dll	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
File created	C:\Windows\SysWOW64\win1ogon.exe	win1ogon.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4632	3140	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe	79
PID 3140 wrote to memory of 4632	3140	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe	79
PID 3140 wrote to memory of 4632	3140	a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe	79

C:\Users\Admin\AppData\Local\Temp\a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe
"C:\Users\Admin\AppData\Local\Temp\a1e20688649e1b1d49068b21f48f1211f52dbd9dd7521448007e987fd0a00cd5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\win1ogon.exe
  "C:\Windows\system32\win1ogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\win1ogon.exe

Filesize
75KB

MD5
ddf15a0f75e1b0d4e85c1c446e55a0da

SHA1
a8201abaf41be7688e44ff93ab9a5928deffc112

SHA256
9c66aaa68ef8738a0cf1f5022f9cfadef248ca52c03e07927132848987e3ce61

SHA512
0b33e4b308e92cb581b739ceeea761477bb034cd52e4b41bd8aba43812ea76c1a142778f3b3b1f4c5aca8b7af62c73181e1f98e125a63fe12a3f1fd58087f878

Download Submit
C:\Windows\SysWOW64\win1ogon.exe

Filesize
75KB

MD5
ddf15a0f75e1b0d4e85c1c446e55a0da

SHA1
a8201abaf41be7688e44ff93ab9a5928deffc112

SHA256
9c66aaa68ef8738a0cf1f5022f9cfadef248ca52c03e07927132848987e3ce61

SHA512
0b33e4b308e92cb581b739ceeea761477bb034cd52e4b41bd8aba43812ea76c1a142778f3b3b1f4c5aca8b7af62c73181e1f98e125a63fe12a3f1fd58087f878

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads