a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
Size

52KB
MD5

f3bb66276e7ac3a94edc1a9a9ca53c37
SHA1

e2f6fec017026e5563398fb8495ce646868e302b
SHA256

a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
SHA512

9cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8
SSDEEP

768:GSnjtx4xj1NVf84XWWJtvdvpofMB9pXJXHMXxTIeRtYU7:1ExRrft3CaBsBTIefR7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5020	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\H:\autorun.inf	winlogon.exe
File opened for modification	\??\K:\autorun.inf	winlogon.exe
File opened for modification	\??\W:\autorun.inf	winlogon.exe
File opened for modification	\??\B:\autorun.inf	winlogon.exe
File opened for modification	\??\E:\autorun.inf	winlogon.exe
File opened for modification	\??\I:\autorun.inf	winlogon.exe
File opened for modification	\??\L:\autorun.inf	winlogon.exe
File opened for modification	\??\M:\autorun.inf	winlogon.exe
File opened for modification	\??\P:\autorun.inf	winlogon.exe
File opened for modification	\??\Q:\autorun.inf	winlogon.exe
File opened for modification	\??\U:\autorun.inf	winlogon.exe
File opened for modification	\??\A:\autorun.inf	winlogon.exe
File opened for modification	\??\Z:\autorun.inf	winlogon.exe
File opened for modification	D:\autorun.inf	winlogon.exe
File opened for modification	\??\G:\autorun.inf	winlogon.exe
File opened for modification	\??\T:\autorun.inf	winlogon.exe
File opened for modification	\??\X:\autorun.inf	winlogon.exe
File opened for modification	\??\Y:\autorun.inf	winlogon.exe
File opened for modification	C:\autorun.inf	winlogon.exe
File opened for modification	\??\J:\autorun.inf	winlogon.exe
File opened for modification	\??\N:\autorun.inf	winlogon.exe
File opened for modification	\??\O:\autorun.inf	winlogon.exe
File opened for modification	\??\R:\autorun.inf	winlogon.exe
File opened for modification	\??\S:\autorun.inf	winlogon.exe
File opened for modification	\??\V:\autorun.inf	winlogon.exe
File opened for modification	\??\F:\autorun.inf	winlogon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
File opened for modification	C:\Windows\winlogon.exe	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
File created	C:\Windows\winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe
5020	winlogon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4364	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
4364	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
5020	winlogon.exe
5020	winlogon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 5020	4364	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe	78
PID 4364 wrote to memory of 5020	4364	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe	78
PID 4364 wrote to memory of 5020	4364	a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe	78

C:\Users\Admin\AppData\Local\Temp\a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
"C:\Users\Admin\AppData\Local\Temp\a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\winlogon.exe
  "C:\Windows\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winlogon.exe

Filesize
52KB

MD5
f3bb66276e7ac3a94edc1a9a9ca53c37

SHA1
e2f6fec017026e5563398fb8495ce646868e302b

SHA256
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde

SHA512
9cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8

Download Submit
C:\Windows\winlogon.exe

Filesize
52KB

MD5
f3bb66276e7ac3a94edc1a9a9ca53c37

SHA1
e2f6fec017026e5563398fb8495ce646868e302b

SHA256
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde

SHA512
9cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8

Download Submit