Overview

overview

10

Static

static

2d31b64150...9d.exe

windows7-x64

8

2d31b64150...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d31b641508b195873f092d1dc4ae00b4660882549f0a2e484c863495845039d.exe

  • Size

    98KB

  • MD5

    c47084affdc6747ac556343024a6148d

  • SHA1

    90ac3dbc690723e92f77baf14db5e5729f794852

  • SHA256

    2d31b641508b195873f092d1dc4ae00b4660882549f0a2e484c863495845039d

  • SHA512

    f1002e26f84e7d3f53966772478e9bd3792b36ac6d631e04e4ef9fe58b040fd566f88f107aac5477c9c0c7d5e5d30a35e164fc988c2fcd5b94ad5e8e4f0720fa

  • SSDEEP

    1536:9QxqcQu0XPmEmEcYUpEjCTfaAIW1EvqTlrxtPpFAXF9N/6Sy:y/03mEcppEjCTfaAIWSqTlrbPLEz4

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
    • C:\Users\Admin\AppData\Local\Temp\2d31b641508b195873f092d1dc4ae00b4660882549f0a2e484c863495845039d.exe
      "C:\Users\Admin\AppData\Local\Temp\2d31b641508b195873f092d1dc4ae00b4660882549f0a2e484c863495845039d.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe
        "C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe
          "C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:836

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe
      Filesize

      74KB

      MD5

      5b1a85d948bd7a075ebd0df2296ae9d5

      SHA1

      2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

      SHA256

      8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

      SHA512

      46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe
      Filesize

      74KB

      MD5

      5b1a85d948bd7a075ebd0df2296ae9d5

      SHA1

      2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

      SHA256

      8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

      SHA512

      46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\6ty6D26.exe
      Filesize

      74KB

      MD5

      5b1a85d948bd7a075ebd0df2296ae9d5

      SHA1

      2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

      SHA256

      8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

      SHA512

      46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

      Download Submit
    • memory/620-197-0x000000000E680000-0x000000000E6A6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-202-0x000000000E6B0000-0x000000000E6D6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-242-0x000000000E830000-0x000000000E856000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-237-0x000000000E800000-0x000000000E826000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-232-0x000000000E7D0000-0x000000000E7F6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-227-0x000000000E7A0000-0x000000000E7C6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-222-0x000000000E770000-0x000000000E796000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-217-0x000000000E740000-0x000000000E766000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-212-0x000000000E710000-0x000000000E736000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-152-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-157-0x000000000E500000-0x000000000E526000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-162-0x000000000E530000-0x000000000E556000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-167-0x000000000E560000-0x000000000E586000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-172-0x000000000E590000-0x000000000E5B6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-177-0x000000000E5C0000-0x000000000E5E6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-182-0x000000000E5F0000-0x000000000E616000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-187-0x000000000E620000-0x000000000E646000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-192-0x000000000E650000-0x000000000E676000-memory.dmp
      Filesize

      152KB

      Download
    • memory/620-207-0x000000000E6E0000-0x000000000E706000-memory.dmp
      Filesize

      152KB

      Download
    • memory/836-139-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/836-147-0x0000000000410000-0x0000000000412000-memory.dmp
      Filesize

      8KB

      Download
    • memory/836-145-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/836-144-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/836-137-0x0000000000000000-mapping.dmp
      Download
    • memory/836-141-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/836-140-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/836-138-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/4760-132-0x0000000000000000-mapping.dmp
      Download