Analysis
-
max time kernel
77s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:45
Static task
static1
Behavioral task
behavioral1
Sample
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe
Resource
win10v2004-20221111-en
General
-
Target
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe
-
Size
329KB
-
MD5
2927cfa58259da34494ae3445107a372
-
SHA1
3b6ef88d46c09541b3dc5e89aac4dd5602d45d81
-
SHA256
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
-
SHA512
e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
SSDEEP
6144:hy+o4AwgO9JhQONF+d3ev+tNB3xfjoUlDLJDU7W8N6UlE:hy+tP9JvNG3ev+tNB3x
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
winlogon.exeserver.exepid process 2032 winlogon.exe 692 server.exe -
Loads dropped DLL 4 IoCs
Processes:
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exewinlogon.exepid process 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe 2032 winlogon.exe 2032 winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exewinlogon.exedescription pid process Token: SeDebugPrivilege 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe Token: SeDebugPrivilege 2032 winlogon.exe Token: SeDebugPrivilege 2032 winlogon.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exewinlogon.exedescription pid process target process PID 240 wrote to memory of 2032 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe winlogon.exe PID 240 wrote to memory of 2032 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe winlogon.exe PID 240 wrote to memory of 2032 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe winlogon.exe PID 240 wrote to memory of 2032 240 f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe winlogon.exe PID 2032 wrote to memory of 692 2032 winlogon.exe server.exe PID 2032 wrote to memory of 692 2032 winlogon.exe server.exe PID 2032 wrote to memory of 692 2032 winlogon.exe server.exe PID 2032 wrote to memory of 692 2032 winlogon.exe server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe"C:\Users\Admin\AppData\Local\Temp\f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
PID:692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
C:\Users\Admin\AppData\Roaming\winlogon.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
C:\Users\Admin\AppData\Roaming\winlogon.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
\Users\Admin\AppData\Roaming\server.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
\Users\Admin\AppData\Roaming\server.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
\Users\Admin\AppData\Roaming\winlogon.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
\Users\Admin\AppData\Roaming\winlogon.exeFilesize
329KB
MD52927cfa58259da34494ae3445107a372
SHA13b6ef88d46c09541b3dc5e89aac4dd5602d45d81
SHA256f6d21661b97d9aef334cdeba7fec3e348b9f35e5a10b36d92896795796ce9415
SHA512e1f5522dda3af9c0caa2c4a5c62880fec5c183f70704988eaec933319a5f89797415fd9baec97a7718986a8d180e42f6e3b6fa96339514cbafd2c71742a11de4
-
memory/240-63-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/240-54-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB
-
memory/240-56-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/240-55-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/692-68-0x0000000000000000-mapping.dmp
-
memory/2032-59-0x0000000000000000-mapping.dmp
-
memory/2032-64-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB
-
memory/2032-65-0x00000000742E0000-0x000000007488B000-memory.dmpFilesize
5.7MB