Analysis
-
max time kernel
149s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 14:27
Static task
static1
Behavioral task
behavioral1
Sample
454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe
Resource
win10v2004-20221111-en
General
-
Target
454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe
-
Size
385KB
-
MD5
04cfc2135b1bf2061b5893d826536a23
-
SHA1
af152c1d257812a315c4e36bb71b871f09bfa47c
-
SHA256
454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
-
SHA512
b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
SSDEEP
6144:g5GxLm5HeuV6VeAJiGE5+I6e2aD+4B6htvOi/+k/Igk2b3LQlwkGnTLELguh9NbE:ikLIHFLAMGEBUq+uluggkC7QifTLULbE
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.execsrss.exepid process 2020 winlogon.exe 616 winlogon.exe 1660 csrss.exe -
Loads dropped DLL 5 IoCs
Processes:
454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exewinlogon.exepid process 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe 2020 winlogon.exe 2020 winlogon.exe 2020 winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 2020 set thread context of 616 2020 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 4 IoCs
Processes:
cmd.exe454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.execmd.exewinlogon.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe File opened for modification C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe\:ZONE.identifier:$DATA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
csrss.exepid process 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe 1660 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
winlogon.execsrss.exedescription pid process Token: SeDebugPrivilege 616 winlogon.exe Token: SeDebugPrivilege 1660 csrss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winlogon.exepid process 616 winlogon.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exewinlogon.exedescription pid process target process PID 1324 wrote to memory of 760 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe cmd.exe PID 1324 wrote to memory of 760 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe cmd.exe PID 1324 wrote to memory of 760 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe cmd.exe PID 1324 wrote to memory of 760 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe cmd.exe PID 1324 wrote to memory of 2020 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe winlogon.exe PID 1324 wrote to memory of 2020 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe winlogon.exe PID 1324 wrote to memory of 2020 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe winlogon.exe PID 1324 wrote to memory of 2020 1324 454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe winlogon.exe PID 2020 wrote to memory of 1356 2020 winlogon.exe cmd.exe PID 2020 wrote to memory of 1356 2020 winlogon.exe cmd.exe PID 2020 wrote to memory of 1356 2020 winlogon.exe cmd.exe PID 2020 wrote to memory of 1356 2020 winlogon.exe cmd.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 616 2020 winlogon.exe winlogon.exe PID 2020 wrote to memory of 1660 2020 winlogon.exe csrss.exe PID 2020 wrote to memory of 1660 2020 winlogon.exe csrss.exe PID 2020 wrote to memory of 1660 2020 winlogon.exe csrss.exe PID 2020 wrote to memory of 1660 2020 winlogon.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe"C:\Users\Admin\AppData\Local\Temp\454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe":ZONE.identifier & exit2⤵
- NTFS ADS
PID:760 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit3⤵
- NTFS ADS
PID:1356 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:616 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 616 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d.exe
Filesize385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335
-
Filesize
385KB
MD504cfc2135b1bf2061b5893d826536a23
SHA1af152c1d257812a315c4e36bb71b871f09bfa47c
SHA256454f9af37fe145ffc233b3e24eec3e43098e1d0186ac2deadffbae2addb05a1d
SHA512b364b7f53eeeee263a7f1687cb1a55428ec5d2d99b5698d05cc0f67b674314a693bd9b49f4b122f3d333354a978f81d109345b1d074737f30aadbb7067834335