Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 17:04
Static task
static1
Behavioral task
behavioral1
Sample
0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe
Resource
win10v2004-20220812-en
General
-
Target
0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe
-
Size
716KB
-
MD5
925d83f35c3f88ca7523723e2c8c85e0
-
SHA1
faee021043c5b09704e692eb7aaeb21301c70b9d
-
SHA256
0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3
-
SHA512
5a8f3ac798140ca5119ed416559649f0272b9f9482db1679d9f0fe4bc7826884818b917bb920f50e25e06ba58fd70bd84f4e95b5aad1d351cf6c2e7288a3b923
-
SSDEEP
12288:S2Zw/eTW0JYVFBgcX9jCVBBQExGI7/WOpNrDRnHEWupTyOtq/RuGOWgj:tW/eTWdEyjEBBQ6WENnRkWupTSZz+
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ebuka6733
Signatures
-
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-150-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/4900-152-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/4900-154-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 4708 winlogon.exe 3376 winlogon.exe 4888 winlogon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exewinlogon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
winlogon.exewinlogon.exedescription pid process target process PID 4708 set thread context of 4888 4708 winlogon.exe winlogon.exe PID 4888 set thread context of 4900 4888 winlogon.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
winlogon.exedw20.exedescription pid process Token: SeDebugPrivilege 4888 winlogon.exe Token: SeRestorePrivilege 1356 dw20.exe Token: SeBackupPrivilege 1356 dw20.exe Token: SeBackupPrivilege 1356 dw20.exe Token: SeBackupPrivilege 1356 dw20.exe Token: SeBackupPrivilege 1356 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winlogon.exepid process 4888 winlogon.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exewinlogon.exewinlogon.exedescription pid process target process PID 3092 wrote to memory of 4708 3092 0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe winlogon.exe PID 3092 wrote to memory of 4708 3092 0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe winlogon.exe PID 4708 wrote to memory of 3376 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 3376 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 3376 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4708 wrote to memory of 4888 4708 winlogon.exe winlogon.exe PID 4888 wrote to memory of 4972 4888 winlogon.exe cmd.exe PID 4888 wrote to memory of 4972 4888 winlogon.exe cmd.exe PID 4888 wrote to memory of 4972 4888 winlogon.exe cmd.exe PID 4888 wrote to memory of 1356 4888 winlogon.exe dw20.exe PID 4888 wrote to memory of 1356 4888 winlogon.exe dw20.exe PID 4888 wrote to memory of 1356 4888 winlogon.exe dw20.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe PID 4888 wrote to memory of 4900 4888 winlogon.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe"C:\Users\Admin\AppData\Local\Temp\0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"3⤵
- Executes dropped EXE
PID:3376 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"4⤵
- Drops startup file
PID:4972 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 24564⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt4⤵PID:4900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeFilesize
4KB
MD5e1190859ab4f21e58d1873afc1b3cff2
SHA150d4f9f444dba70b9918c4b812b5d9a098e0f867
SHA2569b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73
SHA512f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeFilesize
4KB
MD5e1190859ab4f21e58d1873afc1b3cff2
SHA150d4f9f444dba70b9918c4b812b5d9a098e0f867
SHA2569b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73
SHA512f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeFilesize
4KB
MD5e1190859ab4f21e58d1873afc1b3cff2
SHA150d4f9f444dba70b9918c4b812b5d9a098e0f867
SHA2569b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73
SHA512f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
716KB
MD5925d83f35c3f88ca7523723e2c8c85e0
SHA1faee021043c5b09704e692eb7aaeb21301c70b9d
SHA2560f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3
SHA5125a8f3ac798140ca5119ed416559649f0272b9f9482db1679d9f0fe4bc7826884818b917bb920f50e25e06ba58fd70bd84f4e95b5aad1d351cf6c2e7288a3b923
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
716KB
MD5925d83f35c3f88ca7523723e2c8c85e0
SHA1faee021043c5b09704e692eb7aaeb21301c70b9d
SHA2560f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3
SHA5125a8f3ac798140ca5119ed416559649f0272b9f9482db1679d9f0fe4bc7826884818b917bb920f50e25e06ba58fd70bd84f4e95b5aad1d351cf6c2e7288a3b923
-
memory/1356-147-0x0000000000000000-mapping.dmp
-
memory/3092-132-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmpFilesize
10.2MB
-
memory/4708-136-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmpFilesize
10.2MB
-
memory/4708-133-0x0000000000000000-mapping.dmp
-
memory/4888-138-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4888-139-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4888-145-0x0000000075260000-0x0000000075811000-memory.dmpFilesize
5.7MB
-
memory/4888-148-0x0000000075260000-0x0000000075811000-memory.dmpFilesize
5.7MB
-
memory/4888-140-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4888-153-0x0000000075260000-0x0000000075811000-memory.dmpFilesize
5.7MB
-
memory/4888-142-0x00000000004708DE-mapping.dmp
-
memory/4900-152-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4900-154-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4900-149-0x0000000000000000-mapping.dmp
-
memory/4900-150-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4972-146-0x0000000000000000-mapping.dmp