9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041

Analysis

max time kernel
185s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe
Size

1.0MB
MD5

b3808373acbf5cd33017d74a9d98fc97
SHA1

13ebf7d5b278d2cc5086418396be481cb63c0b5f
SHA256

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041
SHA512

94ee11f96e18bac9a2a3014d78e95eff4373781a2eae173a0fdb4f652a50022960faf5c09bd81bb8cd5c0b4ed354f580ab8120e744796991abf9ba729cd1dc37
SSDEEP

24576:fxtX01nIv47zxUkDmmfdECJCIkFniRksy5j69c:JtXqnRzyoJfdTJG8kl

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\System32\\config\\Journal\\winlogon.exe"	Trojan.exe

Executes dropped EXE 2 IoCs

Processes:

Brute.exeTrojan.exe

pid process

2204 Brute.exe
4768 Trojan.exe

pid	process
2204	Brute.exe
4768	Trojan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe

Drops file in System32 directory 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Windows\System32\config\Journal\winlogon.exe	Trojan.exe
File opened for modification	C:\Windows\System32\config\Journal\winlogon.exe	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe

description	pid	process	target process
PID 4636 wrote to memory of 2204	4636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 4636 wrote to memory of 2204	4636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 4636 wrote to memory of 2204	4636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Brute.exe
PID 4636 wrote to memory of 4768	4636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Trojan.exe
PID 4636 wrote to memory of 4768	4636	9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe
"C:\Users\Admin\AppData\Local\Temp\9c1e2354c62573e1abfde9ecaf9aaf3199d343e80daa160e92ab1e6c25ad7041.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\Brute.exe
"C:\Users\Admin\AppData\Local\Temp\Brute.exe"
2⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Brute.exe
Filesize
1.5MB

MD5
f9e45861c7f2bad01d08c61da0b74270

SHA1
12b6e0785320009df763d4d6351c52bd8de631c5

SHA256
5a64d18bea2573939fd21ec469fa4a2b58c0c455e8e00df0a5aeb2b5ad21941d

SHA512
d4194c0418ee156f0c844d67b0f9aa0f0c8583b3e108a5c04605f50624b2200e461210c48e4265fc1ebab79f76afcf9330e854489c1ef4c0901c50e9f262ed5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brute.exe
Filesize
1.5MB

MD5
f9e45861c7f2bad01d08c61da0b74270

SHA1
12b6e0785320009df763d4d6351c52bd8de631c5

SHA256
5a64d18bea2573939fd21ec469fa4a2b58c0c455e8e00df0a5aeb2b5ad21941d

SHA512
d4194c0418ee156f0c844d67b0f9aa0f0c8583b3e108a5c04605f50624b2200e461210c48e4265fc1ebab79f76afcf9330e854489c1ef4c0901c50e9f262ed5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
11KB

MD5
56d7965758dc724dfe9c5b8afc9f4036

SHA1
76d1ffaf52f4c608a067f1143899235ac92a5c1b

SHA256
ebd926753914e013f94ded1f37c36e6ef0fa2418f69d36c836ca4148b4269d3f

SHA512
b7b9d7aee65ccba8023de9382fa6513938805c01a6878c8c397124f2d197f33ece7d4a8cb7ef402c20ffa9890a3df0d664a4c17dc05a5bb0dfc690af981e2edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
11KB

MD5
56d7965758dc724dfe9c5b8afc9f4036

SHA1
76d1ffaf52f4c608a067f1143899235ac92a5c1b

SHA256
ebd926753914e013f94ded1f37c36e6ef0fa2418f69d36c836ca4148b4269d3f

SHA512
b7b9d7aee65ccba8023de9382fa6513938805c01a6878c8c397124f2d197f33ece7d4a8cb7ef402c20ffa9890a3df0d664a4c17dc05a5bb0dfc690af981e2edd

Download Submit
memory/2204-133-0x0000000000000000-mapping.dmp

Download
memory/4768-136-0x0000000000000000-mapping.dmp

Download
memory/4768-139-0x00007FFA00E70000-0x00007FFA018A6000-memory.dmp

Filesize
10.2MB

Download