cfe559d136a06224225462f6c71b69fb014236eaa7a8f8d6fdcd539f57d0e6cb

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_NA_2f953be04a4b3dexeexe_JC.exe
Size

280KB
MD5

2f953be04a4b3d4bda010d65c46b4dcd
SHA1

86a23bcb5a2de690005ff9021f9f58d15441f78b
SHA256

cfe559d136a06224225462f6c71b69fb014236eaa7a8f8d6fdcd539f57d0e6cb
SHA512

4a59e1ef1d22cc548e0325188fb1cc454d64a22a37b14efacf3942201dd74a9f6aa2f5e1a7e5b95eb87e0462cc71228d56e3139a81e2da4c0bf764a41fa03b7b
SSDEEP

6144:JQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:JQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	NA_NA_2f953be04a4b3dexeexe_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
4100	wlogon32.exe
1748	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\DefaultIcon\ = "%1"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\DefaultIcon	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\wlogon32.exe\" /START \"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\open\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\DefaultIcon	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\wlogon32.exe\" /START \"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\ = "Application"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\open	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\runas\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\runas	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\Content-Type = "application/x-msdownload"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\ = "haldriver"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\DefaultIcon\ = "%1"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\.exe\shell\runas\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4100	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 4100	3920	NA_NA_2f953be04a4b3dexeexe_JC.exe	86
PID 3920 wrote to memory of 4100	3920	NA_NA_2f953be04a4b3dexeexe_JC.exe	86
PID 3920 wrote to memory of 4100	3920	NA_NA_2f953be04a4b3dexeexe_JC.exe	86
PID 4100 wrote to memory of 1748	4100	wlogon32.exe	87
PID 4100 wrote to memory of 1748	4100	wlogon32.exe	87
PID 4100 wrote to memory of 1748	4100	wlogon32.exe	87

C:\Users\Admin\AppData\Local\Temp\NA_NA_2f953be04a4b3dexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_2f953be04a4b3dexeexe_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
4a7a943b9762d177c6d07951b5087cc6

SHA1
e9dff453a0cb89fcef6b3f6bafdbdc88968c6e47

SHA256
fd422b9a5107a42962e7071a127335f0dda326627b59439bdd7544cf61afe813

SHA512
3afae2203ed7831418dfad64c7fdbc090072585726dc260d6e5c45028787b88e14210c44640843dee43b2bfb4996609e37e013cb03a9789d4e4773d228afeddc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
4a7a943b9762d177c6d07951b5087cc6

SHA1
e9dff453a0cb89fcef6b3f6bafdbdc88968c6e47

SHA256
fd422b9a5107a42962e7071a127335f0dda326627b59439bdd7544cf61afe813

SHA512
3afae2203ed7831418dfad64c7fdbc090072585726dc260d6e5c45028787b88e14210c44640843dee43b2bfb4996609e37e013cb03a9789d4e4773d228afeddc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
4a7a943b9762d177c6d07951b5087cc6

SHA1
e9dff453a0cb89fcef6b3f6bafdbdc88968c6e47

SHA256
fd422b9a5107a42962e7071a127335f0dda326627b59439bdd7544cf61afe813

SHA512
3afae2203ed7831418dfad64c7fdbc090072585726dc260d6e5c45028787b88e14210c44640843dee43b2bfb4996609e37e013cb03a9789d4e4773d228afeddc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe

Filesize
280KB

MD5
4a7a943b9762d177c6d07951b5087cc6

SHA1
e9dff453a0cb89fcef6b3f6bafdbdc88968c6e47

SHA256
fd422b9a5107a42962e7071a127335f0dda326627b59439bdd7544cf61afe813

SHA512
3afae2203ed7831418dfad64c7fdbc090072585726dc260d6e5c45028787b88e14210c44640843dee43b2bfb4996609e37e013cb03a9789d4e4773d228afeddc

Download Submit