2ad01fbc49901f3f3430ec2bc184b42cd454c779e49e6b7fe52d1687df69563a

General

Target

winchancho_combined.exe
Size

4.9MB
MD5

879a44649956c2c14557d1362436ebf4
SHA1

9f7a58ae7fc3d12c3eef167a89a1f80826273a68
SHA256

2ad01fbc49901f3f3430ec2bc184b42cd454c779e49e6b7fe52d1687df69563a
SHA512

57dd8761f5ef53475d23a94026c2b6c48ce1891c9d9d6fba74469d1237796910292e9676825b7525ae9d918c2063ef681f8bad50d0162dab8a3f3148f95cb8a8
SSDEEP

98304:xHFEFEVDxuqqITjatL2QU35zZpnKFEF3FD:xlc0NapG3FCc1

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
800	takeown.exe
5080	icacls.exe

Executes dropped EXE 2 IoCs

pid	Process
240	Logon_overwriter.exe
3380	LogonUI.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
800	takeown.exe
5080	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\LogonUI.exe	Logon_overwriter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1608	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1184	notepad.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	4456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4456	AUDIODG.EXE
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeTakeOwnershipPrivilege	800	takeown.exe
Token: SeShutdownPrivilege	2728	shutdown.exe
Token: SeRemoteShutdownPrivilege	2728	shutdown.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1756	1452	winchancho_combined.exe	79
PID 1452 wrote to memory of 1756	1452	winchancho_combined.exe	79
PID 1756 wrote to memory of 1608	1756	cmd.exe	81
PID 1756 wrote to memory of 1608	1756	cmd.exe	81
PID 1452 wrote to memory of 240	1452	winchancho_combined.exe	83
PID 1452 wrote to memory of 240	1452	winchancho_combined.exe	83
PID 240 wrote to memory of 4600	240	Logon_overwriter.exe	84
PID 240 wrote to memory of 4600	240	Logon_overwriter.exe	84
PID 4600 wrote to memory of 800	4600	cmd.exe	86
PID 4600 wrote to memory of 800	4600	cmd.exe	86
PID 4600 wrote to memory of 5080	4600	cmd.exe	87
PID 4600 wrote to memory of 5080	4600	cmd.exe	87
PID 1452 wrote to memory of 2728	1452	winchancho_combined.exe	88
PID 1452 wrote to memory of 2728	1452	winchancho_combined.exe	88
PID 1452 wrote to memory of 1184	1452	winchancho_combined.exe	91
PID 1452 wrote to memory of 1184	1452	winchancho_combined.exe	91

C:\Users\Admin\AppData\Local\Temp\winchancho_combined.exe
"C:\Users\Admin\AppData\Local\Temp\winchancho_combined.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c taskkill /f /im explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe
  "C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5080
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\fucked_by_silly.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a10055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe

Filesize
598KB

MD5
bed539a8fac681c577d82485c2689968

SHA1
baa8ef0e66e7a450371fb436aeea6e7e3c5ff0f3

SHA256
8b5dd194dfdd5c0cd650d7a14a1b54a4d895da5d3dc70d0907fd4bbcbf473d2c

SHA512
f6c2fc0faa3229c9c58f1066d2046a1ebb7a932d33973f886fd601716d04febb6fff13ddff3a08e008ca985e98cfea67a842ab7379b6944668fec5979a242af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fucked_by_silly.txt

Filesize
269B

MD5
ff3a9eb202f8478dc95a268b49192ab8

SHA1
4062fb3ece98a5a1f6875edceb8ee72ffbebb11b

SHA256
d9a0c8dff4bf8dddbb45663e3788965c571d50e0e8ec0fb02a75b0246f09e3bb

SHA512
81abdf8ca38120f7e87475a3a5dd15ad3fffb808e03a8a75bcbecabf7b536030a6feab58dd4bdc5eb5798e0eced9bb876ec956f8aa1374b6ce5988ce319d33bf

Download Submit
C:\Windows\System32\LogonUI.exe

Filesize
293KB

MD5
7bbbcb480663facafc9924e3e723d26e

SHA1
5d524ae226f3397a3d84486f8d21768dfbd576a9

SHA256
a4d90ce8782a686613403a23ad4a26789c7fd093a7d55b94ab4de8a75b66f4da

SHA512
2354791ccb34ff71aabfc51086cd384c9ef11cb3a764e5b720d8fa0cf7d10af569f10d12490e998fd4b6b649f9ebe61f7ae97dac6504af6fdd1bd128a17ad2a5

Download Submit
memory/240-15-0x0000000000D20000-0x0000000000DBC000-memory.dmp

Filesize
624KB

Download
memory/1452-23-0x00000222FF2D0000-0x00000222FF2DB000-memory.dmp

Filesize
44KB

Download
memory/1452-20-0x00000222FD930000-0x00000222FD976000-memory.dmp

Filesize
280KB

Download
memory/1452-3-0x00007FFC7F100000-0x00007FFC7FBC2000-memory.dmp

Filesize
10.8MB

Download
memory/1452-19-0x00000222FD4B0000-0x00000222FD4CE000-memory.dmp

Filesize
120KB

Download
memory/1452-0-0x00007FFC7F103000-0x00007FFC7F105000-memory.dmp

Filesize
8KB

Download
memory/1452-22-0x00000222FF2C0000-0x00000222FF2CD000-memory.dmp

Filesize
52KB

Download
memory/1452-21-0x00000222FF290000-0x00000222FF299000-memory.dmp

Filesize
36KB

Download
memory/1452-16-0x00007FFC7F100000-0x00007FFC7FBC2000-memory.dmp

Filesize
10.8MB

Download
memory/1452-24-0x00007FFC7F100000-0x00007FFC7FBC2000-memory.dmp

Filesize
10.8MB

Download
memory/1452-25-0x00007FFC7F100000-0x00007FFC7FBC2000-memory.dmp

Filesize
10.8MB

Download
memory/1452-26-0x00007FFC7F100000-0x00007FFC7FBC2000-memory.dmp

Filesize
10.8MB

Download
memory/1452-2-0x00007FFC7F100000-0x00007FFC7FBC2000-memory.dmp

Filesize
10.8MB

Download
memory/1452-1-0x00000222FA640000-0x00000222FAB2E000-memory.dmp

Filesize
4.9MB

Download
memory/3380-29-0x0000000000700000-0x0000000000750000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing