d411385f78db2760b0ba0df942ab794b0749e5e7093f462d1a0e52281fb014be

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2023, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_08e2bb7525f24eexe_JC.exe
Size

280KB
MD5

08e2bb7525f24ed19faca3593c60ca66
SHA1

1e0c9a6fb2883151f6aeee051f2ec936dc0ecb2a
SHA256

d411385f78db2760b0ba0df942ab794b0749e5e7093f462d1a0e52281fb014be
SHA512

39796f6dfa932b789b323f87d13f0d5a0b1a206813c70d40000a8d286d3686835ba75060ed04df2009c7e5654b3831e56dfdc85e88c1e85fdcd1e5f42ad15005
SSDEEP

6144:qTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:qTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	NA_08e2bb7525f24eexe_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
4200	wlogon32.exe
3992	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\ = "haldriver"	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\DefaultIcon\ = "%1"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\open	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\runas	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\open	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\wlogon32.exe\" /START \"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\Content-Type = "application/x-msdownload"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\open\command	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\ = "Application"	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\runas\command	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\runas\command	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\DefaultIcon	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\DefaultIcon	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\open\command	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\wlogon32.exe\" /START \"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.exe\shell\runas	NA_08e2bb7525f24eexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\DefaultIcon\ = "%1"	NA_08e2bb7525f24eexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	NA_08e2bb7525f24eexe_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4200	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4200	1212	NA_08e2bb7525f24eexe_JC.exe	86
PID 1212 wrote to memory of 4200	1212	NA_08e2bb7525f24eexe_JC.exe	86
PID 1212 wrote to memory of 4200	1212	NA_08e2bb7525f24eexe_JC.exe	86
PID 4200 wrote to memory of 3992	4200	wlogon32.exe	87
PID 4200 wrote to memory of 3992	4200	wlogon32.exe	87
PID 4200 wrote to memory of 3992	4200	wlogon32.exe	87

C:\Users\Admin\AppData\Local\Temp\NA_08e2bb7525f24eexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_08e2bb7525f24eexe_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
66a825b346c81de1df6405f447592eb9

SHA1
5f19409e68b0374e7ca98559910ce692d5aed941

SHA256
f9b71a03a703c950b7f552d59491a06f06e772b147fd3db92a0c0db89ac76734

SHA512
c1ac510059b896601822fad95947b5946b534eaf750ebd6bb736429866c579b95389bb46866fc84fe8de77ee38bab3d5752bf7f2a29d535a6f32cd819565c662

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
66a825b346c81de1df6405f447592eb9

SHA1
5f19409e68b0374e7ca98559910ce692d5aed941

SHA256
f9b71a03a703c950b7f552d59491a06f06e772b147fd3db92a0c0db89ac76734

SHA512
c1ac510059b896601822fad95947b5946b534eaf750ebd6bb736429866c579b95389bb46866fc84fe8de77ee38bab3d5752bf7f2a29d535a6f32cd819565c662

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
66a825b346c81de1df6405f447592eb9

SHA1
5f19409e68b0374e7ca98559910ce692d5aed941

SHA256
f9b71a03a703c950b7f552d59491a06f06e772b147fd3db92a0c0db89ac76734

SHA512
c1ac510059b896601822fad95947b5946b534eaf750ebd6bb736429866c579b95389bb46866fc84fe8de77ee38bab3d5752bf7f2a29d535a6f32cd819565c662

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
66a825b346c81de1df6405f447592eb9

SHA1
5f19409e68b0374e7ca98559910ce692d5aed941

SHA256
f9b71a03a703c950b7f552d59491a06f06e772b147fd3db92a0c0db89ac76734

SHA512
c1ac510059b896601822fad95947b5946b534eaf750ebd6bb736429866c579b95389bb46866fc84fe8de77ee38bab3d5752bf7f2a29d535a6f32cd819565c662

Download Submit