Malware Analysis Report

2024-12-07 14:53

Sample ID 241011-3tadlsvglr
Target 376c5844cd89ac279f0d6fe59951fa2f_JaffaCakes118
SHA256 fab1a8843e4a41e7321a8ca8f72c7b5c20ec60b979b75e4ac5907f08142fc3da
Tags
discovery defense_evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fab1a8843e4a41e7321a8ca8f72c7b5c20ec60b979b75e4ac5907f08142fc3da

Threat Level: Likely malicious

The file 376c5844cd89ac279f0d6fe59951fa2f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery defense_evasion exploit

Possible privilege escalation attempt

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies registry class

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 23:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\ICSharpCode.SharpZipLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\ICSharpCode.SharpZipLib.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.vshost.exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.vshost.exe

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.vshost.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1484

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 142.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/1416-0-0x00007FFBA0A75000-0x00007FFBA0A76000-memory.dmp

memory/1416-1-0x00007FFBA07C0000-0x00007FFBA1161000-memory.dmp

memory/1416-10-0x00007FFBA07C0000-0x00007FFBA1161000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

145s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\԰.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\԰.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 142.72.21.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win7-20240708-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe"

Network

N/A

Files

memory/2168-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2168-2-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2168-1-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win7-20240708-en

Max time kernel

119s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\toke.bat"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1300 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1300 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1300 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2816 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2816 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1300 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2316 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2316 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2316 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1300 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1300 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2832 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2832 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1300 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1300 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\toke.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

cmd.exe /c takeown /f "C:\Windows\Branding\Basebrd\basebrd.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\Branding\Basebrd\basebrd.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\Branding\Basebrd\basebrd.dll" /grant administrators:F

C:\Windows\system32\cmd.exe

cmd.exe /c takeown /f "C:\Windows\system32\authui.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\authui.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\authui.dll" /grant administrators:F

C:\Windows\system32\cmd.exe

cmd.exe /c takeown /f "C:\Windows\system32\imageres.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\imageres.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\imageres.dll" /grant administrators:F

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

96s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\toke.bat"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4028 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4028 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4028 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 880 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4028 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4028 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4028 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4028 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2988 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4028 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4028 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4028 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4028 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3860 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3860 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4028 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4028 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\toke.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

cmd.exe /c takeown /f "C:\Windows\Branding\Basebrd\basebrd.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\Branding\Basebrd\basebrd.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\Branding\Basebrd\basebrd.dll" /grant administrators:F

C:\Windows\system32\cmd.exe

cmd.exe /c takeown /f "C:\Windows\system32\authui.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\authui.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\authui.dll" /grant administrators:F

C:\Windows\system32\cmd.exe

cmd.exe /c takeown /f "C:\Windows\system32\imageres.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\imageres.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\imageres.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 142.72.21.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\ICSharpCode.SharpZipLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\ICSharpCode.SharpZipLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe"

Network

N/A

Files

memory/2772-0-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

memory/2772-1-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-2-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-3-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-4-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-5-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-6-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-7-0x0000000002380000-0x0000000002390000-memory.dmp

memory/2772-8-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

memory/2772-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2772-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4652-0-0x00007FFA28F95000-0x00007FFA28F96000-memory.dmp

memory/4652-1-0x000000001BB40000-0x000000001C00E000-memory.dmp

memory/4652-2-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-3-0x000000001C0B0000-0x000000001C14C000-memory.dmp

memory/4652-4-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-5-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

memory/4652-6-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-7-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-8-0x00007FFA28F95000-0x00007FFA28F96000-memory.dmp

memory/4652-9-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-10-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-11-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-12-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-13-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-14-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

memory/4652-15-0x00007FFA28CE0000-0x00007FFA29681000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.vshost.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.vshost.exe

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Logon WorkShop.vshost.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 912

Network

Files

memory/2760-0-0x000007FEF6A8E000-0x000007FEF6A8F000-memory.dmp

memory/2760-10-0x000007FEF67D0000-0x000007FEF716D000-memory.dmp

memory/2760-12-0x000007FEF6A8E000-0x000007FEF6A8F000-memory.dmp

memory/2484-11-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

memory/2760-13-0x000007FEF67D0000-0x000007FEF716D000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\԰.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Logon Workshop\԰.url"

Network

N/A

Files

memory/2508-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2508-1-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 23:47

Reported

2024-10-11 23:50

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe

"C:\Users\Admin\AppData\Local\Temp\Logon Workshop\Apply\ResHacker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 142.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2936-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2936-1-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/2936-2-0x00000000006B0000-0x00000000006B1000-memory.dmp