aa05c706355e6962c375ef629d1c147ec5cac6ffa415110acd1f77c562b71cd5

Analysis

max time kernel
140s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lanhoologin/Login.exe
Size

351KB
MD5

cc2dabcef32a7653e835ae43af62e428
SHA1

e82694382011f8349e36f41b855db7d236fb27fb
SHA256

e6bb60fece1d0ebbf6090dd8a44db9aca7cc4a61af0cdf51c03daa41a427b4f1
SHA512

ca94d656766845f50bab95bb4a86dc73101328c3bc1bfbc3d6e433fe1f04dd9fe287e6ac3d02c682497837fd04a0ef4295e6eed2c87ba38496cd02ac9104c9a4
SSDEEP

6144:A5sFtPWXnHiz7rf3yJc+pyBzLXxITHcxVXXwdO9Ca8ymNBK1T+x74:TWXnHiyDpxcPXx918dNBK1T84

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ELogin.ICO	Login.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Login.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{0713E8D2-850A-101B-AFC0-4210102A8DB9}	Login.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0713E8D2-850A-101B-AFC0-4210102A8DB9}\BUTTONTEXT = "webµÇÂ½Æ÷"	Login.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0713E8D2-850A-101B-AFC0-4210102A8DB9}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	Login.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0713E8D2-850A-101B-AFC0-4210102A8DB9}\DEFAULT VISIBLE = "YES"	Login.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0713E8D2-850A-101B-AFC0-4210102A8DB9}\EXEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lanhoologin\\Login.exe"	Login.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0713E8D2-850A-101B-AFC0-4210102A8DB9}\ICON = "C:\\Windows\\ELogin.ICO"	Login.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0713E8D2-850A-101B-AFC0-4210102A8DB9}\HOTICON = "C:\\Windows\\ELogin.ICO"	Login.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe
3616	Login.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3616	Login.exe
3616	Login.exe

C:\Users\Admin\AppData\Local\Temp\lanhoologin\Login.exe
"C:\Users\Admin\AppData\Local\Temp\lanhoologin\Login.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3616-0-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3616-1-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/3616-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3616-13-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3616-22-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/3616-23-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download