Analysis
-
max time kernel
150s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:44
Static task
static1
Behavioral task
behavioral1
Sample
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
Resource
win10v2004-20221111-en
General
-
Target
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
-
Size
1.6MB
-
MD5
0113e41018d832aba3aaabe664ac4775
-
SHA1
dfeedb9da14800ebedb5bf051a8387d35f48986c
-
SHA256
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
-
SHA512
e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
-
SSDEEP
3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exewinlogon.exepid process 400 winlogon.exe 5064 winlogon.exe 1708 winlogon.exe 5024 winlogon.exe -
Processes:
resource yara_rule behavioral2/memory/848-134-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/848-136-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/848-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/848-143-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5064-153-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exewinlogon.exewinlogon.exedescription pid process target process PID 4152 set thread context of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 400 set thread context of 5064 400 winlogon.exe winlogon.exe PID 5064 set thread context of 1708 5064 winlogon.exe winlogon.exe PID 5064 set thread context of 5024 5064 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1296 1708 WerFault.exe winlogon.exe 4624 5024 WerFault.exe winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exewinlogon.exepid process 848 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 5064 winlogon.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exewinlogon.exewinlogon.exedescription pid process target process PID 4152 wrote to memory of 1368 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe svchost.exe PID 4152 wrote to memory of 1368 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe svchost.exe PID 4152 wrote to memory of 1368 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe svchost.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 4152 wrote to memory of 848 4152 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe PID 848 wrote to memory of 400 848 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe winlogon.exe PID 848 wrote to memory of 400 848 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe winlogon.exe PID 848 wrote to memory of 400 848 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe winlogon.exe PID 400 wrote to memory of 3600 400 winlogon.exe svchost.exe PID 400 wrote to memory of 3600 400 winlogon.exe svchost.exe PID 400 wrote to memory of 3600 400 winlogon.exe svchost.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 400 wrote to memory of 5064 400 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 1708 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe PID 5064 wrote to memory of 5024 5064 winlogon.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe"C:\Users\Admin\AppData\Local\Temp\28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 126⤵
- Program crash
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 126⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1708 -ip 17081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5024 -ip 50241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.6MB
MD50113e41018d832aba3aaabe664ac4775
SHA1dfeedb9da14800ebedb5bf051a8387d35f48986c
SHA25628555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
SHA512e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.6MB
MD50113e41018d832aba3aaabe664ac4775
SHA1dfeedb9da14800ebedb5bf051a8387d35f48986c
SHA25628555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
SHA512e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.6MB
MD50113e41018d832aba3aaabe664ac4775
SHA1dfeedb9da14800ebedb5bf051a8387d35f48986c
SHA25628555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
SHA512e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.6MB
MD50113e41018d832aba3aaabe664ac4775
SHA1dfeedb9da14800ebedb5bf051a8387d35f48986c
SHA25628555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
SHA512e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.6MB
MD50113e41018d832aba3aaabe664ac4775
SHA1dfeedb9da14800ebedb5bf051a8387d35f48986c
SHA25628555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
SHA512e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
-
memory/400-140-0x0000000000000000-mapping.dmp
-
memory/848-136-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/848-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/848-143-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/848-134-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/848-133-0x0000000000000000-mapping.dmp
-
memory/1368-132-0x0000000000000000-mapping.dmp
-
memory/1708-154-0x0000000000000000-mapping.dmp
-
memory/3600-144-0x0000000000000000-mapping.dmp
-
memory/5024-157-0x0000000000000000-mapping.dmp
-
memory/5064-153-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5064-145-0x0000000000000000-mapping.dmp