0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Size

131KB
MD5

a31b01b6707db1543d654586bceccfb0
SHA1

17d4cb00c3acac356c02e87177614066ac9e869e
SHA256

0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f
SHA512

838801d8179953c401ecfb98a814f423d8609ef918ad0368b816dc4817654a6905ada195a365d74761ed6d2f518b694f2e8a63a3ac31642ee9b38803ea730d65
SSDEEP

3072:IyrN/sVywaEj1UsEOBYJwyrN/sVywaEj1Usqd5PjJ5Sr5n:Nh9wv1Ut3nh9wv1U1L5Sr5n

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4108	lcss.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e37-132.dat	upx
behavioral2/files/0x0006000000022e37-133.dat	upx
behavioral2/files/0x0007000000022e2f-136.dat	upx
behavioral2/files/0x0007000000022e32-135.dat	upx
behavioral2/files/0x0006000000022e38-134.dat	upx
behavioral2/memory/4560-137-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4108-138-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Modifies WinLogon 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	lcss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wlogon.dll	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
File opened for modification	C:\Windows\SysWOW64\net.cpl	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
File opened for modification	C:\Windows\SysWOW64\lcss.exe	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
File opened for modification	C:\Windows\SysWOW64\crypto.dll	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	lcss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4560	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Token: SeDebugPrivilege	4560	0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Token: SeTakeOwnershipPrivilege	4108	lcss.exe
Token: SeDebugPrivilege	4108	lcss.exe

C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
"C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\lcss.exe
C:\Windows\SysWOW64\lcss.exe
1⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\crypto.dll

Filesize
182KB

MD5
46f56da73fee598a0fc161a09f8ef190

SHA1
bf4ff701f4f545f9c4a6faee803ecd5759863aef

SHA256
65271a7a7b0a4b38514af41fb162bcbb32ebd02b2cfc416619f7567a066dd3e3

SHA512
e391b2ed54391b7a88881cf3801ae4bceb6cd6dabba403e52b095dfc5db480eae9687e89adb5e0b221a958a4ed323231851d9acd357e9e2a9b85b2467fba2f41

Download Submit
C:\Windows\SysWOW64\lcss.exe

Filesize
145KB

MD5
88fbe34de3599ce0d8c3f7b7af657863

SHA1
6a70f7da5ec2f17d0a65b47132ba5e30fdfcefbc

SHA256
6b7864784253cae53377a05530532fbdf14c35505c9a09533fe8883bb390187d

SHA512
9320d09de917cb2670d96162e6e19afc375873d435ce13a546e3cb83e8c9175a28be2a32105e1b33ede96927ef1079e363823236bcae25812cdf71e26ba0950d

Download Submit
C:\Windows\SysWOW64\lcss.exe

Filesize
145KB

MD5
88fbe34de3599ce0d8c3f7b7af657863

SHA1
6a70f7da5ec2f17d0a65b47132ba5e30fdfcefbc

SHA256
6b7864784253cae53377a05530532fbdf14c35505c9a09533fe8883bb390187d

SHA512
9320d09de917cb2670d96162e6e19afc375873d435ce13a546e3cb83e8c9175a28be2a32105e1b33ede96927ef1079e363823236bcae25812cdf71e26ba0950d

Download Submit
C:\Windows\SysWOW64\net.cpl

Filesize
216KB

MD5
21cdd9ca63946ed5c7857941da9609d0

SHA1
373226e91811d6d203bfff64e4fe9ae03a292d18

SHA256
de0aa80a1d8cd98b3bc7f6783528478370a95f0b37f5b123b49486489ad2a058

SHA512
cb6ddde9a454123e8cdfa3c77d499482196f4c988ec7094624816fd4ebce68ba5f4bd338013e009724387b2bf7d808e0b4ebb6ea1c165d78bb3985c138d85a8b

Download Submit
C:\Windows\SysWOW64\wlogon.dll

Filesize
211KB

MD5
6669b99ffddc26f899d5893ff84c92d6

SHA1
43b9b44fb0948940fdeffef4e0578c5943c331b3

SHA256
45c851fbcbcf2e151cb13f5d3094416ac3d42bf998939d5c6a1e37665a432d86

SHA512
bc1bf7066c7b91c6f0bed71bc2a200a020497c9c09804c32f549ca7c3ea0194bc6a44073b6ecbbe3bd27a7851d87453c96fb83109e88ef9492123fdbfd4d0a44

Download Submit
memory/4108-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4560-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download