aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 01:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe
Size

78KB
MD5

5a3045df698e4a8f42d4dec466758b69
SHA1

2e9f42c1b0d439097c3eba959bced83c6010c3cc
SHA256

aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885
SHA512

3b85bae32723f6a27ebb1811f4102827806c199117b9cc6ac4e16994617d23f1481b4e87375a13ce1a0e9850a95b521a0598409a14c000d52042bf1c3a547ba6
SSDEEP

1536:nYD9AdC7dbcshaw44bamXpWKPwYRxiiyaECHAX5mROMwOMQETMy:YD687nz44bHAKPwYRcie0ROfOSf

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3116	winlngon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlngon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlngon.exe"	aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlngon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlngon.exe"	aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3588	5020	WerFault.exe	83

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5020	aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe
3116	winlngon.exe
3116	winlngon.exe
3116	winlngon.exe
3116	winlngon.exe
3116	winlngon.exe
3116	winlngon.exe
3116	winlngon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3116	5020	aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe	84
PID 5020 wrote to memory of 3116	5020	aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe	84
PID 5020 wrote to memory of 3116	5020	aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe	84

C:\Users\Admin\AppData\Local\Temp\aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe
"C:\Users\Admin\AppData\Local\Temp\aaf0a30c2919f9ef4a7f90290b0fef60cbfc5f93d2be1f8d81bcee0999245885.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020
- \??\c:\users\admin\appdata\local\temp\winlngon.exe
  c:\users\admin\appdata\local\temp\winlngon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 600
  2⤵
  - Program crash
  PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RCX3652.tmp

Filesize
76KB

MD5
caee07ef49dcf772797408bf7be431a5

SHA1
daf82aaad7de4c9a3acea7aeda117c5b965873c5

SHA256
6e3760e91a80576c1989f937f181575583d9227a9b53ee8ff66f928076fe53ee

SHA512
aaf75ae24106b231eda82869f7ed8b50b1861456ac41ce0163c5b92572541594bdfefc272802d0449206c5b615d3549b9f4aab1ac37e993435e584b7ecefb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlngon.exe

Filesize
78KB

MD5
9970cf2759a58b210ab1b57fb505418d

SHA1
67df4c1d7867921f2de1d8589c307eecc3e869f2

SHA256
8da490ae5c71d5d54a6d03df186e86e83bdb539c997cbf95c3cf6c9af3520f11

SHA512
eae2227024ff597c17e92f590d1fd53b4f235e9130ccfb4d33629e16f64e19b35acca0f9158e7ed260f984cbba0b1ab923a06d22fc01c720e32182a0c7b38d26

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads