6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650

General

Target

6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
Size

20KB
MD5

479ebb62ea78dc8b2bbbe180c171b780
SHA1

36a2bc47b44dfcfd37c2762b66f13e616c217ea7
SHA256

6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650
SHA512

968fb8893691df3f8b6400e7e6a794926e0c2f0fad0142cbaea2bd3a01cf3d579b8e5bb61505ffcdf859ff5fa3a17b3bfde38e145f023dec082fed71b689e304
SSDEEP

192:Np91TsJER6fHpUeLhUeKv45GWpaJzEACsIYQDRFmOO2tIe4DKio4aCIkgUwzJr3L:NxAE6FsvsGTzEVYQP4ZXcr3le2UcSU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

4608 winlogon.exe

pid	process
4608	winlogon.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winlogon.exe

description	ioc	process
File opened (read-only)	\??\A:	winlogon.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\F:	winlogon.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\R:	winlogon.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

winlogon.exe

description ioc process

File created C:\autorun.inf winlogon.exe
File opened for modification C:\autorun.inf winlogon.exe

description	ioc	process
File created	C:\autorun.inf	winlogon.exe
File opened for modification	C:\autorun.inf	winlogon.exe

Drops file in Windows directory 2 IoCs

Processes:

6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

description	ioc	process
File opened for modification	C:\Windows\system\winlogon.exe	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
File created	C:\Windows\system\winlogon.exe	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

pid	process
812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

description	pid	process
Token: SeDebugPrivilege	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
Token: SeDebugPrivilege	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe

description	pid	process	target process
PID 812 wrote to memory of 4608	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe	winlogon.exe
PID 812 wrote to memory of 4608	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe	winlogon.exe
PID 812 wrote to memory of 4608	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe	winlogon.exe
PID 812 wrote to memory of 1988	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe	cmd.exe
PID 812 wrote to memory of 1988	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe	cmd.exe
PID 812 wrote to memory of 1988	812	6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe
"C:\Users\Admin\AppData\Local\Temp\6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system\winlogon.exe
C:\Windows\system\winlogon.exe /sleepDown
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe.bat
2⤵
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650.exe.bat

Filesize
248B

MD5
17f30b2c721fc00dfb1975755522f3c4

SHA1
cfc54b7aaf56fa73fdb43ed151552691e3dba170

SHA256
9d30d9a93715553fd60f083f66cc52fd8084d822b50d9cc203b9481015b0447d

SHA512
4e113e26290360ad8b69bf86afa78f1c84be41dcbd16944056fda7feb0dfac3d368fe0cbc6c0e9b58fc0516c42016ed033251dd6a859226f9743e60dbb97a947

Download Submit
C:\Windows\System\winlogon.exe

Filesize
20KB

MD5
479ebb62ea78dc8b2bbbe180c171b780

SHA1
36a2bc47b44dfcfd37c2762b66f13e616c217ea7

SHA256
6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650

SHA512
968fb8893691df3f8b6400e7e6a794926e0c2f0fad0142cbaea2bd3a01cf3d579b8e5bb61505ffcdf859ff5fa3a17b3bfde38e145f023dec082fed71b689e304

Download Submit
C:\Windows\system\winlogon.exe

Filesize
20KB

MD5
479ebb62ea78dc8b2bbbe180c171b780

SHA1
36a2bc47b44dfcfd37c2762b66f13e616c217ea7

SHA256
6218991e135c51766abc462aa393b3b4f5460824c8bd767d1f997b0c7d54f650

SHA512
968fb8893691df3f8b6400e7e6a794926e0c2f0fad0142cbaea2bd3a01cf3d579b8e5bb61505ffcdf859ff5fa3a17b3bfde38e145f023dec082fed71b689e304

Download Submit
memory/812-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-136-0x0000000000000000-mapping.dmp

Download
memory/4608-133-0x0000000000000000-mapping.dmp

Download
memory/4608-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads