Malware Analysis Report

2024-09-11 03:36

Sample ID 240615-jsvtdawgrp
Target Logon_overwriter.exe
SHA256 c15b9e81ad0f1cf19b43ac31bc636ac62f9fae398d2db3fbf430c86eaa55ee9e
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c15b9e81ad0f1cf19b43ac31bc636ac62f9fae398d2db3fbf430c86eaa55ee9e

Threat Level: Likely malicious

The file Logon_overwriter.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:56

Reported

2024-06-15 07:58

Platform

win7-20240220-en

Max time kernel

88s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\system32\LogonUI.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\system32\LogonUI.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\system32\LogonUI.exe N/A
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe C:\Windows\System32\cmd.exe
PID 2260 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2260 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2260 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2260 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2260 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2260 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1048 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe C:\Windows\System32\cmd.exe
PID 1048 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe C:\Windows\System32\cmd.exe
PID 1048 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe C:\Windows\System32\cmd.exe
PID 2968 wrote to memory of 2580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2968 wrote to memory of 2580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2968 wrote to memory of 2580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2968 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2968 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2968 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\verclsid.exe

"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401

C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Network

N/A

Files

memory/1964-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

memory/1964-1-0x0000000000F70000-0x0000000000FF6000-memory.dmp

memory/1964-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

memory/1964-4-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

memory/1048-5-0x0000000000310000-0x0000000000396000-memory.dmp

C:\Windows\System32\LogonUI.exe

MD5 9197af51129577e66987817175ff910c
SHA1 3002e8a0222054f760e15a91f9a2012a54cc4e74
SHA256 01ef25f6039e600bffd3983bb4f346055415b47485a0f253fc6f519568d970c0
SHA512 9d881e5e0e9cacaa9e7f5963438d2165eca1c62f4956b5722c0cda27289efe39c0192b89243ec1bf88c7eeeffc898c336e8c7085fdbf99a787901a4242690395

memory/2440-10-0x0000000000FF0000-0x0000000001036000-memory.dmp

memory/2620-11-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2620-12-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2620-13-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

memory/2620-14-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2620-15-0x0000000140000000-0x00000001405E8000-memory.dmp