14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e

General

Target

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe
Size

102KB
MD5

58bc14cd9a5b15b3d7926f857484042f
SHA1

77e0eaf796306feb74a474703526f6ab1ab7ed4d
SHA256

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e
SHA512

7ba79d436c56ecc0e19583feb304e46ad79218126cd5881676ebb79c2dbf283ce0ab7a93eb272eff6db2e69f524697f334a7f637afed6b2b93126ae2a870817b
SSDEEP

1536:9QxqcQu0XPmEmEcYUpEjCTfaAIW1EvqTlrxtPpFAXF9N/6Sy:y/03mEcppEjCTfaAIWSqTlrbPLEz4

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6tyE16C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\twext.exe,"	6tyE16C.exe

Executes dropped EXE 2 IoCs

Processes:

6tyE16C.exe6tyE16C.exe

pid process

1248 6tyE16C.exe
4824 6tyE16C.exe

pid	process
1248	6tyE16C.exe
4824	6tyE16C.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe

Drops file in System32 directory 2 IoCs

Processes:

6tyE16C.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\twext.exe 6tyE16C.exe
File created C:\Windows\SysWOW64\twext.exe 6tyE16C.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

6tyE16C.exe

description pid process target process

PID 1248 set thread context of 4824 1248 6tyE16C.exe 6tyE16C.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6tyE16C.exe

pid process

4824 6tyE16C.exe
4824 6tyE16C.exe
4824 6tyE16C.exe
4824 6tyE16C.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6tyE16C.exe

description pid process

Token: SeDebugPrivilege 4824 6tyE16C.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6tyE16C.exe

pid process

1248 6tyE16C.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\twext.exe	6tyE16C.exe
File created	C:\Windows\SysWOW64\twext.exe	6tyE16C.exe

description	pid	process	target process
PID 1248 set thread context of 4824	1248	6tyE16C.exe	6tyE16C.exe

pid	process
4824	6tyE16C.exe
4824	6tyE16C.exe
4824	6tyE16C.exe
4824	6tyE16C.exe

description	pid	process
Token: SeDebugPrivilege	4824	6tyE16C.exe

pid	process
1248	6tyE16C.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe6tyE16C.exe6tyE16C.exe

description	pid	process	target process
PID 900 wrote to memory of 1248	900	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6tyE16C.exe
PID 900 wrote to memory of 1248	900	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6tyE16C.exe
PID 900 wrote to memory of 1248	900	14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 1248 wrote to memory of 4824	1248	6tyE16C.exe	6tyE16C.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe
PID 4824 wrote to memory of 608	4824	6tyE16C.exe	winlogon.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe
"C:\Users\Admin\AppData\Local\Temp\14198d89ceab423eac364fc5bf110eaa5fa9d283a872ef622909065d267a8a9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe
"C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe
"C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6tyE16C.exe
Filesize
74KB

MD5
5b1a85d948bd7a075ebd0df2296ae9d5

SHA1
2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

SHA256
8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

SHA512
46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

Download Submit
memory/608-196-0x0000000034F70000-0x0000000034F96000-memory.dmp

Filesize
152KB

Download
memory/608-201-0x0000000034FA0000-0x0000000034FC6000-memory.dmp

Filesize
152KB

Download
memory/608-241-0x0000000035120000-0x0000000035146000-memory.dmp

Filesize
152KB

Download
memory/608-236-0x00000000350F0000-0x0000000035116000-memory.dmp

Filesize
152KB

Download
memory/608-231-0x00000000350C0000-0x00000000350E6000-memory.dmp

Filesize
152KB

Download
memory/608-226-0x0000000035090000-0x00000000350B6000-memory.dmp

Filesize
152KB

Download
memory/608-221-0x0000000035060000-0x0000000035086000-memory.dmp

Filesize
152KB

Download
memory/608-216-0x0000000035030000-0x0000000035056000-memory.dmp

Filesize
152KB

Download
memory/608-211-0x0000000035000000-0x0000000035026000-memory.dmp

Filesize
152KB

Download
memory/608-151-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/608-156-0x0000000034DF0000-0x0000000034E16000-memory.dmp

Filesize
152KB

Download
memory/608-161-0x0000000034E20000-0x0000000034E46000-memory.dmp

Filesize
152KB

Download
memory/608-166-0x0000000034E50000-0x0000000034E76000-memory.dmp

Filesize
152KB

Download
memory/608-171-0x0000000034E80000-0x0000000034EA6000-memory.dmp

Filesize
152KB

Download
memory/608-176-0x0000000034EB0000-0x0000000034ED6000-memory.dmp

Filesize
152KB

Download
memory/608-181-0x0000000034EE0000-0x0000000034F06000-memory.dmp

Filesize
152KB

Download
memory/608-186-0x0000000034F10000-0x0000000034F36000-memory.dmp

Filesize
152KB

Download
memory/608-191-0x0000000034F40000-0x0000000034F66000-memory.dmp

Filesize
152KB

Download
memory/608-206-0x0000000034FD0000-0x0000000034FF6000-memory.dmp

Filesize
152KB

Download
memory/1248-132-0x0000000000000000-mapping.dmp

Download
memory/4824-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4824-145-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4824-146-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/4824-144-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4824-137-0x0000000000000000-mapping.dmp

Download
memory/4824-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4824-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4824-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads