Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:30
Static task
static1
Behavioral task
behavioral1
Sample
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe
Resource
win10v2004-20221111-en
General
-
Target
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe
-
Size
461KB
-
MD5
a24a3b0b05139f148ccc7ca0af3483c1
-
SHA1
367089a4d30d9015fc17a62e3f03054be51dc8b2
-
SHA256
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187
-
SHA512
abab10cb74a1e529c30f5356d325862a493606df7d688ad7f4f6db926747673037dfd60ca8ae8de1bec93ecbc48a8405f1664a12bd707cd772a00f9c6bc6afd8
-
SSDEEP
3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 2432 winlogon.exe 1592 winlogon.exe 4512 winlogon.exe -
Processes:
resource yara_rule behavioral2/memory/1808-134-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1808-136-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1808-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1808-140-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1592-153-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1808-154-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exewinlogon.exewinlogon.exedescription pid process target process PID 1356 set thread context of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 2432 set thread context of 1592 2432 winlogon.exe winlogon.exe PID 1592 set thread context of 4512 1592 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4176 4512 WerFault.exe winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exewinlogon.exepid process 1808 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe 1592 winlogon.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exea206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exewinlogon.exewinlogon.exedescription pid process target process PID 1356 wrote to memory of 3824 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe svchost.exe PID 1356 wrote to memory of 3824 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe svchost.exe PID 1356 wrote to memory of 3824 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe svchost.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1356 wrote to memory of 1808 1356 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe PID 1808 wrote to memory of 2432 1808 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe winlogon.exe PID 1808 wrote to memory of 2432 1808 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe winlogon.exe PID 1808 wrote to memory of 2432 1808 a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe winlogon.exe PID 2432 wrote to memory of 3476 2432 winlogon.exe svchost.exe PID 2432 wrote to memory of 3476 2432 winlogon.exe svchost.exe PID 2432 wrote to memory of 3476 2432 winlogon.exe svchost.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 2432 wrote to memory of 1592 2432 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe PID 1592 wrote to memory of 4512 1592 winlogon.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe"C:\Users\Admin\AppData\Local\Temp\a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 126⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4512 -ip 45121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
461KB
MD5a24a3b0b05139f148ccc7ca0af3483c1
SHA1367089a4d30d9015fc17a62e3f03054be51dc8b2
SHA256a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187
SHA512abab10cb74a1e529c30f5356d325862a493606df7d688ad7f4f6db926747673037dfd60ca8ae8de1bec93ecbc48a8405f1664a12bd707cd772a00f9c6bc6afd8
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
461KB
MD5a24a3b0b05139f148ccc7ca0af3483c1
SHA1367089a4d30d9015fc17a62e3f03054be51dc8b2
SHA256a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187
SHA512abab10cb74a1e529c30f5356d325862a493606df7d688ad7f4f6db926747673037dfd60ca8ae8de1bec93ecbc48a8405f1664a12bd707cd772a00f9c6bc6afd8
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
461KB
MD5a24a3b0b05139f148ccc7ca0af3483c1
SHA1367089a4d30d9015fc17a62e3f03054be51dc8b2
SHA256a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187
SHA512abab10cb74a1e529c30f5356d325862a493606df7d688ad7f4f6db926747673037dfd60ca8ae8de1bec93ecbc48a8405f1664a12bd707cd772a00f9c6bc6afd8
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
461KB
MD5a24a3b0b05139f148ccc7ca0af3483c1
SHA1367089a4d30d9015fc17a62e3f03054be51dc8b2
SHA256a206a328558e6bf5f770ce48e0b379d2fa0a79846de66ba9a8b864b02d75f187
SHA512abab10cb74a1e529c30f5356d325862a493606df7d688ad7f4f6db926747673037dfd60ca8ae8de1bec93ecbc48a8405f1664a12bd707cd772a00f9c6bc6afd8
-
memory/1592-153-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1592-145-0x0000000000000000-mapping.dmp
-
memory/1808-140-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1808-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1808-136-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1808-134-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1808-154-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1808-133-0x0000000000000000-mapping.dmp
-
memory/2432-141-0x0000000000000000-mapping.dmp
-
memory/3476-144-0x0000000000000000-mapping.dmp
-
memory/3824-132-0x0000000000000000-mapping.dmp
-
memory/4512-155-0x0000000000000000-mapping.dmp