3f3916bb972c08aea72f8a96ec0a59ec7a2b9905ba83dbe88a55003ac401683a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48d3dfd049c3327191a0e3f95e6e963.exe
Size

147KB
MD5

c48d3dfd049c3327191a0e3f95e6e963
SHA1

292db472b0aa26de463235efe18c5e6219dfefac
SHA256

3f3916bb972c08aea72f8a96ec0a59ec7a2b9905ba83dbe88a55003ac401683a
SHA512

d330bf2ced6fa6d4eb1f08a87d647c64fc95ece210987cb74a7ea11d782de27dc6cf1a1efc56515357a33940b4037ac93499c0e11159ddae88b5e96ba60998d6
SSDEEP

3072:IyrN/sVywaEj1Uswr83goWmcQlzo9/K0ZCjrWPKvPLGxMXV:Nh9wv1UfUgoWKlklK0ZCj0KvRXV

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1368	lcss.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4832-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/files/0x000b0000000231a8-20.dat	upx
behavioral2/memory/4832-30-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1368-31-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Modifies WinLogon 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	lcss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\net.cpl	c48d3dfd049c3327191a0e3f95e6e963.exe
File opened for modification	C:\Windows\SysWOW64\lcss.exe	c48d3dfd049c3327191a0e3f95e6e963.exe
File opened for modification	C:\Windows\SysWOW64\crypto.dll	c48d3dfd049c3327191a0e3f95e6e963.exe
File opened for modification	C:\Windows\SysWOW64\wlogon.dll	c48d3dfd049c3327191a0e3f95e6e963.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	c48d3dfd049c3327191a0e3f95e6e963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	c48d3dfd049c3327191a0e3f95e6e963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	c48d3dfd049c3327191a0e3f95e6e963.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4832	c48d3dfd049c3327191a0e3f95e6e963.exe
Token: SeDebugPrivilege	4832	c48d3dfd049c3327191a0e3f95e6e963.exe
Token: SeTakeOwnershipPrivilege	1368	lcss.exe
Token: SeDebugPrivilege	1368	lcss.exe

C:\Users\Admin\AppData\Local\Temp\c48d3dfd049c3327191a0e3f95e6e963.exe
"C:\Users\Admin\AppData\Local\Temp\c48d3dfd049c3327191a0e3f95e6e963.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\lcss.exe
C:\Windows\SysWOW64\lcss.exe
1⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\crypto.dll

Filesize
182KB

MD5
323fef65dd447143e781894a8f402e53

SHA1
d628bbd7a77cb3b130a818cb0eebe8ba2366c949

SHA256
5efb120d2f2fc9fb80688a914d49f671082f89af116406281ebce5541db462f9

SHA512
f3c27a149360fc79d7c1fd89a48a0f5b9834cf4135e509abddcb4946868bdd600f2543e25d9acc818a46ee3b133bd145bdff0ae82889fa498a53951884d64fc6

Download Submit
C:\Windows\SysWOW64\lcss.exe

Filesize
145KB

MD5
9f5b321b41aff505835f02f9ef6e3a30

SHA1
7863f969e9acf57f1cd10a2b346788e8aa5f5130

SHA256
e14a99030182f9c72c3018159611d79a361d62accba8263a055aec893ebcbb78

SHA512
d5af94b99b8c02d8ef993fa0879e1f185fb707b9d02aa194d5a304e1a91ccf0ef3ca2f4ac8e8d1512544dfe7043c0d70e0bb8d7b33bf72579832a12e0a0ea9f2

Download Submit
C:\Windows\SysWOW64\net.cpl

Filesize
216KB

MD5
1245f25b86db4533002a5874624efd3b

SHA1
746345de4d5319514a946210cf6b1b8e410169fa

SHA256
1aaf75d630ed4871d7e78e363c685ce3d85c026f1836d3a53e77efcf8022fc5a

SHA512
fa944b7664bf623de2a4aad806dc5ca37a73177aadf97083966e915c9336ca314b90374c88427c202b082234afcb645c597ea16dd9ef2121fd725364694347de

Download Submit
C:\Windows\SysWOW64\wlogon.dll

Filesize
211KB

MD5
ad910070804c9fd67163285a13690009

SHA1
08717411e4978356219703ab0f28a96ea44d38a0

SHA256
3826bd863596e4cb22295b91dce6d368207b7d2a5b1d6581027539be2a16966c

SHA512
65ad7d5a12fec984ae5eae2706c281096343174a2247d8ec936593db7942f4697e8db6da780fc841ac45790d3d24a2afc0a9f6d35dce3540980b8a500be741c5

Download Submit
memory/1368-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4832-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4832-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads