8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea

Analysis

max time kernel
47s
max time network
67s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 10:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
Size

136KB
MD5

5529101db102bcd21dd3c9c2b54e59a0
SHA1

fbe865eda65f8aac009044089b072e1cc80d5c3a
SHA256

8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea
SHA512

2cc134cb4d91ae583406c89e59ab6fe0fad840bcd541fc6952ca9024de9fd8ebdbb44f33a65baa38cf8e7af3217ebf689594b1a15740f82c8354de6f3c95f018
SSDEEP

1536:tGfLyi9iKORK83h/By8jqhWpRePs9vxRvJ7d1UzeJXMvIHpQ93nV6mSS9Tb7B8:7iG3hTVRLZHPHpYnV6QTva

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	winlogons.exe
1984	winlogons.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
1964	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogons.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows NT Login Application = "C:\\Users\\Admin\\AppData\\Roaming\\winlogons.exe"	winlogons.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\X:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\J:	winlogons.exe
File opened (read-only)	\??\Y:	winlogons.exe
File opened (read-only)	\??\N:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\Q:	winlogons.exe
File opened (read-only)	\??\R:	winlogons.exe
File opened (read-only)	\??\T:	winlogons.exe
File opened (read-only)	\??\K:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\K:	winlogons.exe
File opened (read-only)	\??\L:	winlogons.exe
File opened (read-only)	\??\N:	winlogons.exe
File opened (read-only)	\??\O:	winlogons.exe
File opened (read-only)	\??\Z:	winlogons.exe
File opened (read-only)	\??\L:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\U:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\V:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\G:	winlogons.exe
File opened (read-only)	\??\H:	winlogons.exe
File opened (read-only)	\??\W:	winlogons.exe
File opened (read-only)	\??\A:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\P:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\T:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\Y:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\I:	winlogons.exe
File opened (read-only)	\??\E:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\H:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\I:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\W:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\A:	winlogons.exe
File opened (read-only)	\??\E:	winlogons.exe
File opened (read-only)	\??\P:	winlogons.exe
File opened (read-only)	\??\F:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\J:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\M:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\Z:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\F:	winlogons.exe
File opened (read-only)	\??\B:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\O:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\Q:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\S:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\B:	winlogons.exe
File opened (read-only)	\??\M:	winlogons.exe
File opened (read-only)	\??\S:	winlogons.exe
File opened (read-only)	\??\U:	winlogons.exe
File opened (read-only)	\??\G:	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
File opened (read-only)	\??\X:	winlogons.exe
File opened (read-only)	\??\V:	winlogons.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 2012 set thread context of 1984	2012	winlogons.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	winlogons.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	winlogons.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	winlogons.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	winlogons.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	winlogons.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	winlogons.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	winlogons.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	winlogons.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	winlogons.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1984	winlogons.exe
1984	winlogons.exe
1984	winlogons.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
2012	winlogons.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1624 wrote to memory of 1964	1624	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	28
PID 1964 wrote to memory of 2012	1964	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	29
PID 1964 wrote to memory of 2012	1964	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	29
PID 1964 wrote to memory of 2012	1964	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	29
PID 1964 wrote to memory of 2012	1964	8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe	29
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30
PID 2012 wrote to memory of 1984	2012	winlogons.exe	30

C:\Users\Admin\AppData\Local\Temp\8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
"C:\Users\Admin\AppData\Local\Temp\8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
  C:\Users\Admin\AppData\Local\Temp\8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\winlogons.exe
    "C:\Users\Admin\AppData\Roaming\winlogons.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Roaming\winlogons.exe
      C:\Users\Admin\AppData\Roaming\winlogons.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winlogons.exe

Filesize
136KB

MD5
5529101db102bcd21dd3c9c2b54e59a0

SHA1
fbe865eda65f8aac009044089b072e1cc80d5c3a

SHA256
8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea

SHA512
2cc134cb4d91ae583406c89e59ab6fe0fad840bcd541fc6952ca9024de9fd8ebdbb44f33a65baa38cf8e7af3217ebf689594b1a15740f82c8354de6f3c95f018

Download Submit
C:\Users\Admin\AppData\Roaming\winlogons.exe

Filesize
136KB

MD5
5529101db102bcd21dd3c9c2b54e59a0

SHA1
fbe865eda65f8aac009044089b072e1cc80d5c3a

SHA256
8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea

SHA512
2cc134cb4d91ae583406c89e59ab6fe0fad840bcd541fc6952ca9024de9fd8ebdbb44f33a65baa38cf8e7af3217ebf689594b1a15740f82c8354de6f3c95f018

Download Submit
C:\Users\Admin\AppData\Roaming\winlogons.exe

Filesize
136KB

MD5
5529101db102bcd21dd3c9c2b54e59a0

SHA1
fbe865eda65f8aac009044089b072e1cc80d5c3a

SHA256
8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea

SHA512
2cc134cb4d91ae583406c89e59ab6fe0fad840bcd541fc6952ca9024de9fd8ebdbb44f33a65baa38cf8e7af3217ebf689594b1a15740f82c8354de6f3c95f018

Download Submit
\Users\Admin\AppData\Roaming\winlogons.exe

Filesize
136KB

MD5
5529101db102bcd21dd3c9c2b54e59a0

SHA1
fbe865eda65f8aac009044089b072e1cc80d5c3a

SHA256
8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea

SHA512
2cc134cb4d91ae583406c89e59ab6fe0fad840bcd541fc6952ca9024de9fd8ebdbb44f33a65baa38cf8e7af3217ebf689594b1a15740f82c8354de6f3c95f018

Download Submit
\Users\Admin\AppData\Roaming\winlogons.exe

Filesize
136KB

MD5
5529101db102bcd21dd3c9c2b54e59a0

SHA1
fbe865eda65f8aac009044089b072e1cc80d5c3a

SHA256
8cacac617ff84f1de39ba20a37e0c4b751c3a6574d6520f5995d19d6534194ea

SHA512
2cc134cb4d91ae583406c89e59ab6fe0fad840bcd541fc6952ca9024de9fd8ebdbb44f33a65baa38cf8e7af3217ebf689594b1a15740f82c8354de6f3c95f018

Download Submit
memory/1964-56-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-59-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1964-60-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-64-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download