0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Size

131KB
MD5

a31b01b6707db1543d654586bceccfb0
SHA1

17d4cb00c3acac356c02e87177614066ac9e869e
SHA256

0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f
SHA512

838801d8179953c401ecfb98a814f423d8609ef918ad0368b816dc4817654a6905ada195a365d74761ed6d2f518b694f2e8a63a3ac31642ee9b38803ea730d65
SSDEEP

3072:IyrN/sVywaEj1UsEOBYJwyrN/sVywaEj1Usqd5PjJ5Sr5n:Nh9wv1Ut3nh9wv1U1L5Sr5n

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1240	lcss.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000122dc-54.dat	upx
behavioral1/files/0x00090000000122dc-55.dat	upx
behavioral1/files/0x000500000000b2d2-58.dat	upx
behavioral1/files/0x000b0000000122d6-57.dat	upx
behavioral1/files/0x00080000000122dd-56.dat	upx
behavioral1/memory/832-59-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1240-60-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Modifies WinLogon 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	lcss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	lcss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wlogon.dll	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
File opened for modification	C:\Windows\SysWOW64\net.cpl	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
File opened for modification	C:\Windows\SysWOW64\lcss.exe	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
File opened for modification	C:\Windows\SysWOW64\crypto.dll	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	lcss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	832	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Token: SeDebugPrivilege	832	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Token: SeTakeOwnershipPrivilege	1240	lcss.exe
Token: SeDebugPrivilege	1240	lcss.exe

C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
"C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\lcss.exe
C:\Windows\SysWOW64\lcss.exe
1⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\crypto.dll

Filesize
138KB

MD5
6bf4e87007b6f2c672c4d0277bf2367a

SHA1
f2d575da4eb12ff9698793b8bfe8299e1142ee8f

SHA256
b83294f82bd6f3618d974eb63a889d18557a1e219061449a0577aa9579d987d4

SHA512
1f0928b70e0b3a789a245f4243f8179997b87be7e6a05b2ebccaaefbf486f9c00182e981f66012ac126dc98da61811b5b858c90e78f25aba55ee8a77faa28172

Download Submit
C:\Windows\SysWOW64\lcss.exe

Filesize
170KB

MD5
1aee391d492c9fc7cd741d523d14a0f4

SHA1
5c789ecdfb310045db8b0a9cf07ce2f3df7d2622

SHA256
1d14540ef29308331104c2b5827a6d3d8e2eea7f7d32ec10cfd614b3d3f7ee29

SHA512
0276bee883c89549d23df269c7c8afea5618ecb0eddd84239f6a72e59395e3155cf9c2680706000f3a645d477092f6f017a35f0f918c514bd7c3073f349acf28

Download Submit
C:\Windows\SysWOW64\lcss.exe

Filesize
170KB

MD5
1aee391d492c9fc7cd741d523d14a0f4

SHA1
5c789ecdfb310045db8b0a9cf07ce2f3df7d2622

SHA256
1d14540ef29308331104c2b5827a6d3d8e2eea7f7d32ec10cfd614b3d3f7ee29

SHA512
0276bee883c89549d23df269c7c8afea5618ecb0eddd84239f6a72e59395e3155cf9c2680706000f3a645d477092f6f017a35f0f918c514bd7c3073f349acf28

Download Submit
C:\Windows\SysWOW64\net.cpl

Filesize
188KB

MD5
9aeef58994cfd85f5768bb537eda3de1

SHA1
bbbbfbdcfb5a48bb688be09656ce925e28276489

SHA256
a6a1bfe553175b6de37367ac0cede3c6b843eb25518c159cefbfb868a7e73c26

SHA512
866bbe7a9e6f29849b0cde8ef6c005fa9538fda7c9aed22c065a6009da8f09a933db891aa59f820730f7280577f3012ba12e1af81965fd939166965c94d2e5bc

Download Submit
C:\Windows\SysWOW64\wlogon.dll

Filesize
186KB

MD5
d2f87a7a8da69756dcd36ca3cd9b6144

SHA1
c60fae6615ce3123702c5290f84ade95d4fd5923

SHA256
9468058c3818356fc326e6fc8124d856df95ba7acab989707a8975b60eab11af

SHA512
1bc0532b4d8f47f58a7099029d7b9bcb1e03a8340197f902393583694ee71ae7771a98aa008eea710978f603435dd5572bb8e5dcc2d8d1d0ef8e799dff811712

Download Submit
memory/832-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1240-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download