Overview

overview

8

Static

static

5

UnLogOn.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    0s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-10-2024 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnLogOn.exe

  • Size

    45KB

  • MD5

    18d117ad3dbf808df11619c56f601269

  • SHA1

    99643d63f139333da85b39d4a6160d796a62c791

  • SHA256

    ce3d38bbcb8a6874c5afcee785f0124cddabb15d67e8a3762131c331b99f5d82

  • SHA512

    1bb512aaddd026ecac74108b57a62a83402bed4aeb8033af00d1bace8790a1a6692935d4f2985c36b50dc64fd9f56327355b2822eec23e5912d8cd99ddf6fede

  • SSDEEP

    768:Vpm7BcEKNvBcvL6VeRNL1a6ZO4PTPz+o+CKr3zQ4NuVVWgP4+zgwCUnbcuyD7U/P:VpfEKNCj6VoJl9Go5K7s4Nu32Unouy8H

Score
8/10
discoveryexploitupx

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnLogOn.exe
    "C:\Users\Admin\AppData\Local\Temp\UnLogOn.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\924D.tmp\924E.tmp\924F.bat C:\Users\Admin\AppData\Local\Temp\UnLogOn.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\system32\takeown.exe
        takeown /F C:\Windows\system32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:240
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\system32\LogonUI.exe /Grant:r Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\924D.tmp\924E.tmp\924F.bat
    Filesize

    188B

    MD5

    02d39b7a724bd809b164e4f8ae88b336

    SHA1

    dc297967e4ce0dfe8285e864bf28f0778555b8f6

    SHA256

    adfe34c5c28908fa35eedac7e8a3d12e9ce5f9f71abb71ec9f6e00e50d302906

    SHA512

    a5750e10045d84e2ef4d1e4d67bdd2b8ae1adf553205bff353e2d82766d2a3954ce95aa91dfac6285098544aa499c13a524be3b481e2369cb503cfc8450308bc

    Download Submit

  • memory/4048-0-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4048-4-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download