Analysis
-
max time kernel
59s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
1a8e24fc6069af2b6af68922e69e90d6.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
1a8e24fc6069af2b6af68922e69e90d6.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
1a8e24fc6069af2b6af68922e69e90d6.exe
-
Size
28KB
-
MD5
1a8e24fc6069af2b6af68922e69e90d6
-
SHA1
033401eaa5e8858cf8d23149fd8d44b1c307db7d
-
SHA256
4fc440b6eab1c9eb9b9b354d37a96af0e3553bb63463cfa75a0cdf21f24e6827
-
SHA512
b1ee23b8174efb261d69c48c98e4152f47fb5ef4980fd9cf0e4d26d441ef82afccaf2ebf2e96871590e098f425b73a8d4668e8ecc6cfb31b87a9a5e663ee202e
-
SSDEEP
384:fJnFv7fcsSM+MyXyq/AvBDrrt5WXquvQoJBpqNYEu:x5LcQ+PCq/qrWXxlpE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 1a8e24fc6069af2b6af68922e69e90d6.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe winlogon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe winlogon.exe -
Executes dropped EXE 1 IoCs
pid Process 380 winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\winlogon.exe" winlogon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winlogon.exe 1a8e24fc6069af2b6af68922e69e90d6.exe File opened for modification C:\Windows\winlogon.exe 1a8e24fc6069af2b6af68922e69e90d6.exe File created C:\Windows\winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe 380 winlogon.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3400 1a8e24fc6069af2b6af68922e69e90d6.exe 3400 1a8e24fc6069af2b6af68922e69e90d6.exe 380 winlogon.exe 380 winlogon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3400 wrote to memory of 380 3400 1a8e24fc6069af2b6af68922e69e90d6.exe 92 PID 3400 wrote to memory of 380 3400 1a8e24fc6069af2b6af68922e69e90d6.exe 92 PID 3400 wrote to memory of 380 3400 1a8e24fc6069af2b6af68922e69e90d6.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a8e24fc6069af2b6af68922e69e90d6.exe"C:\Users\Admin\AppData\Local\Temp\1a8e24fc6069af2b6af68922e69e90d6.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD51a8e24fc6069af2b6af68922e69e90d6
SHA1033401eaa5e8858cf8d23149fd8d44b1c307db7d
SHA2564fc440b6eab1c9eb9b9b354d37a96af0e3553bb63463cfa75a0cdf21f24e6827
SHA512b1ee23b8174efb261d69c48c98e4152f47fb5ef4980fd9cf0e4d26d441ef82afccaf2ebf2e96871590e098f425b73a8d4668e8ecc6cfb31b87a9a5e663ee202e