130a06fb71d109922dbe5297c918c39132464b98644dbda97dfe9be35bba13a7

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecebde9300d082exeexeexeex.exe
Size

327KB
MD5

ecebde9300d0826b2d19a1a4f2d71b36
SHA1

6398e9f01d13f7885f9821ed65ec9131b05bf194
SHA256

130a06fb71d109922dbe5297c918c39132464b98644dbda97dfe9be35bba13a7
SHA512

95ba9b3e2cdae18b5418fa4cdded30fcda6fe4257f2fb41a32bc67c92719e0874a0703700b35b9d06268ebac3ed3b5dca1769d9de2f2020ea360f1038b656798
SSDEEP

6144:T2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:T2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	ecebde9300d082exeexeexeex.exe

Executes dropped EXE 2 IoCs

pid	Process
1096	wlogon32.exe
1084	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\ = "Application"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open\command	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas\command	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\wlogon32.exe\" /START \"%1\" %*"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\wlogon32.exe\" /START \"%1\" %*"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\Content-Type = "application/x-msdownload"	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\ = "haldriver"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon\ = "%1"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\DefaultIcon	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\DefaultIcon\ = "%1"	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas	ecebde9300d082exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	ecebde9300d082exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	ecebde9300d082exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1096	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 1096	3956	ecebde9300d082exeexeexeex.exe	85
PID 3956 wrote to memory of 1096	3956	ecebde9300d082exeexeexeex.exe	85
PID 3956 wrote to memory of 1096	3956	ecebde9300d082exeexeexeex.exe	85
PID 1096 wrote to memory of 1084	1096	wlogon32.exe	86
PID 1096 wrote to memory of 1084	1096	wlogon32.exe	86
PID 1096 wrote to memory of 1084	1096	wlogon32.exe	86

C:\Users\Admin\AppData\Local\Temp\ecebde9300d082exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ecebde9300d082exeexeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

Filesize
327KB

MD5
1709d041319f0832d376fa7803e541c9

SHA1
559dfc058ef78ae11b168ee3d4f11ce86484b25a

SHA256
6a6d3fa3d799ff8b61d45a5ccce7c23a3c89c2cbb107a5574f59f5a9a888920d

SHA512
d0c2226ed5d14432063b4a2311dabf53bb09bd25b22175f0f90a568de5c56d013f6082f9eeea9031035068259570cf5e8dae6bbc12cc246bc1d65ca12d0e3e74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

Filesize
327KB

MD5
1709d041319f0832d376fa7803e541c9

SHA1
559dfc058ef78ae11b168ee3d4f11ce86484b25a

SHA256
6a6d3fa3d799ff8b61d45a5ccce7c23a3c89c2cbb107a5574f59f5a9a888920d

SHA512
d0c2226ed5d14432063b4a2311dabf53bb09bd25b22175f0f90a568de5c56d013f6082f9eeea9031035068259570cf5e8dae6bbc12cc246bc1d65ca12d0e3e74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

Filesize
327KB

MD5
1709d041319f0832d376fa7803e541c9

SHA1
559dfc058ef78ae11b168ee3d4f11ce86484b25a

SHA256
6a6d3fa3d799ff8b61d45a5ccce7c23a3c89c2cbb107a5574f59f5a9a888920d

SHA512
d0c2226ed5d14432063b4a2311dabf53bb09bd25b22175f0f90a568de5c56d013f6082f9eeea9031035068259570cf5e8dae6bbc12cc246bc1d65ca12d0e3e74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

Filesize
327KB

MD5
1709d041319f0832d376fa7803e541c9

SHA1
559dfc058ef78ae11b168ee3d4f11ce86484b25a

SHA256
6a6d3fa3d799ff8b61d45a5ccce7c23a3c89c2cbb107a5574f59f5a9a888920d

SHA512
d0c2226ed5d14432063b4a2311dabf53bb09bd25b22175f0f90a568de5c56d013f6082f9eeea9031035068259570cf5e8dae6bbc12cc246bc1d65ca12d0e3e74

Download Submit