Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:01
Behavioral task
behavioral1
Sample
6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe
Resource
win7-20221111-en
General
-
Target
6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe
-
Size
1.2MB
-
MD5
5dd8c30bc07c101fe8d172a8ef56b9a6
-
SHA1
7b7cb85e277ab2cb46f28d36669ece099469af98
-
SHA256
6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94
-
SHA512
1c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec
-
SSDEEP
1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-66231124" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-25625776" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-6832200" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-60014449" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
winlogon.exewinlogon.exepid process 896 winlogon.exe 1724 winlogon.exe -
Processes:
resource yara_rule behavioral2/memory/1568-132-0x0000000000400000-0x0000000000447000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral2/memory/1568-138-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/896-141-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/1724-143-0x0000000000400000-0x000000000043F000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral2/memory/1724-146-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1724-147-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/1724-150-0x0000000000400000-0x000000000043F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 896 set thread context of 1724 896 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 1724 winlogon.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exewinlogon.exewinlogon.exepid process 1568 6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe 896 winlogon.exe 1724 winlogon.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exewinlogon.exedescription pid process target process PID 1568 wrote to memory of 896 1568 6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe winlogon.exe PID 1568 wrote to memory of 896 1568 6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe winlogon.exe PID 1568 wrote to memory of 896 1568 6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe PID 896 wrote to memory of 1724 896 winlogon.exe winlogon.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe"C:\Users\Admin\AppData\Local\Temp\6c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops file in Drivers directory
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD58cd381eca2d5342e36b1e65a9b7f82d5
SHA1d9b529576e1ea26e8daf88fcda26b7a0069da217
SHA25617ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369
SHA512c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD58641ac0a62e1e72023be75ceed4638a9
SHA1a347dbd79e99d81cdd6ec77783008fec9f7e7d42
SHA256d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c
SHA5129a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481FFilesize
472B
MD5176c5bdeeb799ec212e8b21126aa58d5
SHA102c76719828821643ec84cfe61ecb4499838021c
SHA256eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842
SHA512a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD5c11e7a53177ce13df4c7c648d698951d
SHA1ae714a4b4211b7cebef4596f1bc14a589400331a
SHA25626e56b00f1287178b4eccb10f2e8c58c9198a280fff926393a9ef6554ca604df
SHA512049643b2838ef601ac642417cfeb86d911f7a8c75e75b1ef34e0896d4b44b369ae3d6768c854211f9d62b42489c3e595f6ab5c4d0fed6d64a9ab5becf43b818d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD53118222a131f034a6cdfa2c287e70535
SHA191cc98e2b51a8aa6b7ee3dae852f8a68756c4d80
SHA2563694036d119bfbddb934875e6b135b64fb5722f900d74aacb2825563fd472edf
SHA51235980f493700ec72fec64ea471b4e758833138c79bc2f5d733c6e232be48e3ae30bca49a8717049eaf708a6b199269ce33fcc6fbf7bbdd70c2bc1bf8782bc545
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481FFilesize
480B
MD567969e031a3bf062e3e3e872c977bd6a
SHA18ea4ed17be5cfbc47f37c174645bceb13404e143
SHA25645afed9ca1c70030a1902b1cc799336632cc8e1fdb159e5c9724d9523c4d7826
SHA512565b9f16d3c9775cf9c92a477f0ffef38c8443ab5f493f571fba8a713658de676dbfbc6e377827262730174f9b6ec92b05a2b80f019955084daeeebb63f60100
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.2MB
MD55dd8c30bc07c101fe8d172a8ef56b9a6
SHA17b7cb85e277ab2cb46f28d36669ece099469af98
SHA2566c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94
SHA5121c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.2MB
MD55dd8c30bc07c101fe8d172a8ef56b9a6
SHA17b7cb85e277ab2cb46f28d36669ece099469af98
SHA2566c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94
SHA5121c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.2MB
MD55dd8c30bc07c101fe8d172a8ef56b9a6
SHA17b7cb85e277ab2cb46f28d36669ece099469af98
SHA2566c1924802d07dd44e7cc174fed2eaf8772eeef6ff559858e0b16ac02f5211f94
SHA5121c2fb9ef51b4f5488c2dfb22da1a8fc19c45feb17e45976d9ece440aafc8dcc81ebcf5a302eea0d497a45e51dcdc6cc9865475d3627d3450fae6062e122e28ec
-
memory/896-141-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/896-135-0x0000000000000000-mapping.dmp
-
memory/1568-132-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1568-138-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1724-146-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1724-147-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1724-150-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1724-143-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1724-142-0x0000000000000000-mapping.dmp