d85e7025f4238dddebc7c77259c869790d0042c44233530a52153bf00fd98c5a

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2e894b6d8330eee90102022f40be2b.exe
Size

344KB
MD5

ec2e894b6d8330eee90102022f40be2b
SHA1

ac6e8c67ff505d477bf5fff700d198f3fe8033f0
SHA256

d85e7025f4238dddebc7c77259c869790d0042c44233530a52153bf00fd98c5a
SHA512

d1d1e4c8eabca31527fdf3f0bae4fe8820ba8e886b70836780aff788d06409e02e4829bb9295d3dc3bbcf4608f7b19cb6504c7a8269adb1772abddd7083d571c
SSDEEP

6144:hTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:hTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	ec2e894b6d8330eee90102022f40be2b.exe

Executes dropped EXE 2 IoCs

pid	Process
2596	wlogon32.exe
5012	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\wlogon32.exe\" /START \"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\ = "haldriver"	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\DefaultIcon	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\open\command	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\runas	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\wlogon32.exe\" /START \"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\runas	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\Content-Type = "application/x-msdownload"	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\open	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\open	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\ = "Application"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\DefaultIcon\ = "%1"	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver	ec2e894b6d8330eee90102022f40be2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\DefaultIcon\ = "%1"	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\.exe\shell\runas\command	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\DefaultIcon	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\runas\command	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell\open\command	ec2e894b6d8330eee90102022f40be2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\haldriver\shell	ec2e894b6d8330eee90102022f40be2b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2596	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2596	4072	ec2e894b6d8330eee90102022f40be2b.exe	92
PID 4072 wrote to memory of 2596	4072	ec2e894b6d8330eee90102022f40be2b.exe	92
PID 4072 wrote to memory of 2596	4072	ec2e894b6d8330eee90102022f40be2b.exe	92
PID 2596 wrote to memory of 5012	2596	wlogon32.exe	93
PID 2596 wrote to memory of 5012	2596	wlogon32.exe	93
PID 2596 wrote to memory of 5012	2596	wlogon32.exe	93

C:\Users\Admin\AppData\Local\Temp\ec2e894b6d8330eee90102022f40be2b.exe
"C:\Users\Admin\AppData\Local\Temp\ec2e894b6d8330eee90102022f40be2b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe

Filesize
344KB

MD5
2e1acced26f1165e68c2899dccdc8ae4

SHA1
73567fb828b35cfb6d5945e98867c33707ff9fac

SHA256
33c5c85322ee79a267a1e30590b2cae6591d276d5e8e5b41e4cf03f982c318fa

SHA512
632b3259db32589430e5f3829d17ecd5aba8492bc8369f63943adda24ae3265b04f3b9ef4f26febb01cd51be79e232c34d7e04397b8e7f364f17d4fd54857b44

Download Submit