Analysis
-
max time kernel
147s -
max time network
186s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:01
Behavioral task
behavioral1
Sample
e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe
Resource
win7-20221111-en
General
-
Target
e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe
-
Size
315KB
-
MD5
3fcfd5c852a561e4cd8c7d8017ffdb6e
-
SHA1
0f2a20dedede3b6469ef69f0460a56212bb07195
-
SHA256
e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487
-
SHA512
52946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980
-
SSDEEP
1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-51124679" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-80376511" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-97319381" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-64367842" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
winlogon.exewinlogon.exepid process 1120 winlogon.exe 1052 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vccmserv.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Netscape.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iris.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vvstat.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmlisten.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icssuppnt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvlaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\st2.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/1728-55-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/1728-58-0x0000000000400000-0x0000000000447000-memory.dmp upx \Users\Admin\E696D64614\winlogon.exe upx \Users\Admin\E696D64614\winlogon.exe upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/1728-63-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/1120-66-0x0000000000400000-0x0000000000447000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/1052-69-0x0000000000400000-0x000000000043F000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/1052-73-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1052-74-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1052-78-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1052-87-0x0000000000400000-0x000000000043F000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exepid process 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\1574C46594945565 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1574C46594945565 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 1120 set thread context of 1052 1120 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Sound\Beep = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Sound winlogon.exe -
Processes:
winlogon.exeiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://6balwdiaq707788.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://rf53t5yw51aw154.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://dmv8cvyz8usyfic.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://81q0905p2bs6938.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://j58d43sr3wg1240.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://19oiv4248tc188x.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://5ry9eaf29ec628k.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA3AEA91-6DE5-11ED-BDBF-EEAC7132E42C} = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://7p5009fw8382298.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://7j042esydcukg6y.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://h4zks04my05k3s5.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe -
Processes:
winlogon.exewinlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winlogon.exepid process 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe 1052 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 1052 winlogon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 944 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEpid process 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe 1120 winlogon.exe 1052 winlogon.exe 944 iexplore.exe 944 iexplore.exe 1688 IEXPLORE.EXE 1688 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exewinlogon.exeiexplore.exedescription pid process target process PID 1728 wrote to memory of 1120 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe winlogon.exe PID 1728 wrote to memory of 1120 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe winlogon.exe PID 1728 wrote to memory of 1120 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe winlogon.exe PID 1728 wrote to memory of 1120 1728 e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 1120 wrote to memory of 1052 1120 winlogon.exe winlogon.exe PID 944 wrote to memory of 1688 944 iexplore.exe IEXPLORE.EXE PID 944 wrote to memory of 1688 944 iexplore.exe IEXPLORE.EXE PID 944 wrote to memory of 1688 944 iexplore.exe IEXPLORE.EXE PID 944 wrote to memory of 1688 944 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe"C:\Users\Admin\AppData\Local\Temp\e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD58cd381eca2d5342e36b1e65a9b7f82d5
SHA1d9b529576e1ea26e8daf88fcda26b7a0069da217
SHA25617ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369
SHA512c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD58641ac0a62e1e72023be75ceed4638a9
SHA1a347dbd79e99d81cdd6ec77783008fec9f7e7d42
SHA256d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c
SHA5129a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481FFilesize
472B
MD5176c5bdeeb799ec212e8b21126aa58d5
SHA102c76719828821643ec84cfe61ecb4499838021c
SHA256eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842
SHA512a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD5b8bd657d2e56a87afcda1aa9fb089dcb
SHA121dc1a05ce8ee828301b1fc067d3b5a4fb2f3385
SHA256c21cac5a008adeb3a5e2e94b57ff5c925208a4e5999aacac19e2e9bc882766dc
SHA51265b6fa898d6f577ca26423b15e709c4d0ba3dbf1126334fecec1507b5f97d88d92b13a7997e1536eefa4c082d150e9edfc5dc379e7bd0c268ac42b0abefe4421
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5aa989af9cbfb2469cfe76d153d2ede36
SHA194f0e075823d9bb54d15356ea5a18403931245c6
SHA25681f32e5cf5b17a38370dde8f626eaa4e8b49be6f98a928202aa7479c4fb09d04
SHA512898ec8793c9a1cbcf71c1b715f6932177bd4ea194a2c5d993154b03260d574745f45f3e628f020131977e4fd1120852db9865652ae5bcfa9b7d557dc91748f7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD5e63186ab7446a176fae305e95d77e8dd
SHA183be5a7539befed9103cbdff686d286ee53a7782
SHA2564828617aebb87b69519f9345fe74288b110f9b3e2ce1c462f7de0dd2176369c1
SHA512b8da911d637b56b7943edd2a8b2a6d383c7d2ee7712c6f65015877aba4f0816a960f1f8cad9c8207b071d2093adc40cf428852c30f0b970782f3cda986d33a35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481FFilesize
480B
MD59933c2e2c04d232af26a48cba6ff7be1
SHA1ff53e1d5ec5343bbaa3edcc2cc972e1b9fb0a8c4
SHA256e135d2cd1e14a88b4e88384a559c08c0ef63b3036bdede2df5c047409f2858ac
SHA5123900fd0459603aa75ef320c29f125b631c100d0824dc25dc39b3d7a41cd5de9c38fa3380df7f9dac058c216d9c17d962da054394dc36647a772a361f1e29c9ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VWVM22OS.txtFilesize
97B
MD5ad1dbd70b3b88c46a23ac7f168b32e70
SHA14739a10790db246c272a5da1737f4b1bba7aeed0
SHA256451189e9839c62d36f4fdd0d050af8291d8ab61935f8c7589e9365d97dc33b1b
SHA512704b5f2aea4bf9a34b128e713670c3e509c7f0dc01a1e2e2febc5f6f565093c83479040230b819ad0755afc952b8f3304998d0ddeccfb2b7d1c781e72d89eb90
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
315KB
MD53fcfd5c852a561e4cd8c7d8017ffdb6e
SHA10f2a20dedede3b6469ef69f0460a56212bb07195
SHA256e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487
SHA51252946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
315KB
MD53fcfd5c852a561e4cd8c7d8017ffdb6e
SHA10f2a20dedede3b6469ef69f0460a56212bb07195
SHA256e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487
SHA51252946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
315KB
MD53fcfd5c852a561e4cd8c7d8017ffdb6e
SHA10f2a20dedede3b6469ef69f0460a56212bb07195
SHA256e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487
SHA51252946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980
-
\Users\Admin\E696D64614\winlogon.exeFilesize
315KB
MD53fcfd5c852a561e4cd8c7d8017ffdb6e
SHA10f2a20dedede3b6469ef69f0460a56212bb07195
SHA256e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487
SHA51252946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980
-
\Users\Admin\E696D64614\winlogon.exeFilesize
315KB
MD53fcfd5c852a561e4cd8c7d8017ffdb6e
SHA10f2a20dedede3b6469ef69f0460a56212bb07195
SHA256e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487
SHA51252946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980
-
memory/1052-73-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1052-74-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1052-78-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1052-70-0x000000000043C540-mapping.dmp
-
memory/1052-69-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1052-87-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1120-66-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1120-61-0x0000000000000000-mapping.dmp
-
memory/1728-63-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1728-55-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1728-58-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1728-57-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB