Automated Malware Analysis Report for Winlogon.Exe

ID: 223761 Sample Name: winlogon.exe Cookbook: default.jbs Time: 12:33:29 Date: 20/04/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report winlogon.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Networking: 7 System Summary: 7 Data Obfuscation: 7 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 Malware Configuration 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 Contacted IPs 11 Static File Info 12 General 12 File Icon 12 Static PE Info 12 General 12 Entrypoint Preview 12 Rich Headers 14 Data Directories 14 Sections 14 Resources 14 Imports 15 Version Infos 16 Possible Origin 17 Copyright Joe Security LLC 2020 Page 2 of 20 Network Behavior 17 UDP Packets 17 DNS Queries 17 DNS Answers 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 18 Analysis Process: winlogon.exe PID: 2432 Parent PID: 4848 18 General 18 Analysis Process: WerFault.exe PID: 3500 Parent PID: 2432 18 General 18 File Activities 18 File Created 18 File Deleted 19 Registry Activities 19 Key Created 19 Key Value Created 19 Key Value Modified 20 Disassembly 20 Code Analysis 20

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 223761 Start date: 20.04.2020 Start time: 12:33:29 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 25s Hypervisor based Inspection enabled: false Report type: light Sample file name: winlogon.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean3.winEXE@2/0@1/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.158.208.111, 104.103.81.66, 23.39.80.147 Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, e5684.g.akamaiedge.net, fs.microsoft.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, site-cdn.onenote.net.edgekey.net

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 3 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 2 0 - 5 true

Classification Spiderchart

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command-Line Winlogon Process Virtualization/Sandbox Credential Virtualization/Sandbox Application Data from Data Standard Non- Eavesdrop on Accounts Interface 2 Helper DLL Injection 1 Evasion 1 Dumping Evasion 1 Deployment Local Compressed Application Insecure Software System Layer Network Protocol 1 Communication

Copyright Joe Security LLC 2020 Page 6 of 20 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Service Port Accessibility Process Injection 1 Network Process Discovery 1 Remote Data from Exfiltration Standard Exploit SS7 to Through Execution Monitors Features Sniffing Services Removable Over Other Application Redirect Phone Removable Media Network Layer Calls/SMS Media Medium Protocol 1 External Windows Accessibility Path DLL Side-Loading 1 Input Security Software Windows Data from Automated Custom Exploit SS7 to Remote Management Features Interception Capture Discovery 1 Remote Network Exfiltration Cryptographic Track Device Services Instrumentation Management Shared Protocol Location Drive Drive-by Scheduled System DLL Search Obfuscated Files or Credentials System Information Logon Input Data Multiband SIM Card Compromise Task Firmware Order Information in Files Discovery 1 Scripts Capture Encrypted Communication Swap Hijacking

Signature Overview

• Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging

Click to jump to signature section

Networking:

Performs DNS lookups

System Summary:

One or more processes crash

PE file contains strange resources

Tries to load missing DLLs

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Classification label

Creates mutexes

Creates temporary files

PE file has an executable .text section and no other executable section

Sample might require command line arguments

Spawns processes

PE file has a high image base, often used for DLLs

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

Data Obfuscation:

PE file contains sections with non-standard names

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Queries disk information (often used to detect virtual machines)

Queries a list of all running processes

Anti Debugging:

Enables debug privileges

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend Legend: Process

Behavior Graph Signature Created File ID: 223761 DNS/IP Info Sample: winlogon.exe Is Dropped Startdate: 20/04/2020 Architecture: WINDOWS Is Windows Process Score: 3 Number of created Registry Values

Number of created Files

Visual Basic

Delphi site-cdn.onenote.net started Java

.Net C# or VB.NET

C, C++ or other language

winlogon.exe Is malicious Internet

started

WerFault.exe

18 3

Simulations

Behavior and APIs

Copyright Joe Security LLC 2020 Page 8 of 20 Time Type Description 12:34:38 API Interceptor 1x Sleep call for process: WerFault.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link winlogon.exe 0% Virustotal Browse winlogon.exe 0% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link site-cdn.onenote.net 0% Virustotal Browse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 winlogon.exe (PID: 2432 cmdline: 'C:\Users\user\Desktop\winlogon.exe' MD5: 30B8FF833FB3D892DAB4827E00F530B2) WerFault.exe (PID: 3500 cmdline: C:\Windows\system32\WerFault.exe -u -p 2432 -s 148 MD5: BFD11F05E0245D5178ADFBC609E0328B) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation site-cdn.onenote.net unknown unknown false 0%, Virustotal, Browse unknown

Contacted IPs

No contacted IP infos

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 6.160022115752865 TrID: Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: winlogon.exe File size: 571392 MD5: 30b8ff833fb3d892dab4827e00f530b2 SHA1: 6396c263d7e3c31e6310a62f26d38207f46be81e SHA256: 38d1695f08ec655945ca7a40e7d9485696ffa0bfb7dc809 e4cbdba09ea160bc9 SHA512: bd4aaa07bd0483aaafed24695f4fc48638b27e0f7d140ae 253758eef2cc4e023f8e3fa003c85a6d2018149e7d77668 1c11a6506e7bf5f07e043345cd5c9699d4 SSDEEP: 12288:PNhA1qhfiId/lY45v9ogv2mVFWEeO3zmxnuTo/: PPUqhDddYo9mxnuTo File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... U.`...`. ..`....[..`..l....`..l....`...`...b..l....`..l....`..l....`..l....`..l....`..Rich.`...... PE..d.....A]...... "

File Icon

Icon Hash: aab2e3e39383aa00

Static PE Info

General Entrypoint: 0x140013cc0 Entrypoint Section: .text Digitally signed: false Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x5D419815 [Wed Jul 31 13:31:01 2019 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 3 File Version Major: 6 File Version Minor: 3 Subsystem Version Major: 6 Subsystem Version Minor: 3 Import Hash: 12adad8373737f01250ae1985f844b83

Entrypoint Preview

Instruction dec eax sub esp, 28h call 00007F0D8878225Ch dec eax add esp, 28h jmp 00007F0D8878255Bh int3 Copyright Joe Security LLC 2020 Page 12 of 20 Instruction nop nop nop nop nop nop nop nop dec eax mov eax, esp dec eax mov dword ptr [eax+08h], ebx dec eax mov dword ptr [eax+10h], esi dec eax mov dword ptr [eax+18h], edi inc ecx push edi dec eax sub esp, 000000B0h and dword ptr [esp+20h], 00000000h dec eax lea ecx, dword ptr [eax-78h] call dword ptr [00066889h] nop dec eax mov eax, dword ptr [00000030h] dec eax mov ebx, dword ptr [eax+08h] xor esi, esi xor eax, eax dec eax cmpxchg dword ptr [0005830Eh], ebx jne 00007F0D8879E87Bh mov eax, dword ptr [00058396h] cmp eax, 01h je 00007F0D8879E88Ch mov eax, dword ptr [00058387h] test eax, eax jne 00007F0D8879E896h mov dword ptr [00058375h], 00000001h dec esp lea edi, dword ptr [0000C95Ah] dec eax lea ebx, dword ptr [0000C93Bh] dec eax mov dword ptr [esp+38h], ebx mov dword ptr [esp+30h], eax dec ecx cmp ebx, edi jnc 00007F0D8878257Fh test eax, eax jne 00007F0D8879E85Eh dec eax mov edi, dword ptr [ebx] dec eax test edi, edi je 00007F0D88782564h dec eax mov ecx, edi dec eax mov eax, dword ptr [0006707Bh] call eax call edi

Rich Headers

Programming Language: [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7ae00 0x3e8 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x80000 0x118d8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x74000 0x50f4 .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x92000 0xad0 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x64624 0x38 .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x194f0 0x94 .text IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x7a000 0xdf8 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x62d94 0x3c0 .text IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x6a258 0x6a400 False 0.489289981618 data 6.24961812395 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x6c000 0x7157 0x4a00 False 0.162531672297 data 1.94918711626 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x74000 0x50f4 0x5200 False 0.462318978659 data 5.76082472356 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .idata 0x7a000 0x46bc 0x4800 False 0.300401475694 data 4.80274011936 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .didat 0x7f000 0x4c0 0x600 False 0.225260416667 SysEx File - 2.51389817428 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x80000 0x118d8 0x11a00 False 0.414394946809 data 5.62908946498 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x92000 0xad0 0xc00 False 0.507161458333 data 5.18860626181 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABL E, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country MUI 0x917d8 0x100 data English United States WEVT_TEMPLATE 0x80938 0x3b6e data English United States RT_ICON 0x844a8 0x668 data English United States RT_ICON 0x84b10 0x2e8 dBase IV DBT of @.DBF, block length 512, next free English United States block index 40, next free block 4294967295, next used block 16252927 RT_ICON 0x84df8 0x1e8 data English United States RT_ICON 0x84fe0 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x85108 0xea8 data English United States RT_ICON 0x85fb0 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free English United States block index 40, next free block 0, next used block 0 RT_ICON 0x86858 0x6c8 data English United States RT_ICON 0x86f20 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x87488 0x402e PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0x8b4b8 0x25a8 data English United States

Copyright Joe Security LLC 2020 Page 14 of 20 Name RVA Size Type Language Country RT_ICON 0x8da60 0x10a8 data English United States RT_ICON 0x8eb08 0x988 data English United States RT_ICON 0x8f490 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x8f9b8 0x2e8 data English United States RT_ICON 0x8fcb8 0xba8 data English United States RT_ICON 0x90878 0xba8 data English United States RT_GROUP_ICON 0x8f8f8 0xbc data English United States RT_GROUP_ICON 0x8fca0 0x14 data English United States RT_GROUP_ICON 0x90860 0x14 data English United States RT_GROUP_ICON 0x91420 0x14 data English United States RT_VERSION 0x91438 0x3a0 data English United States RT_MANIFEST 0x805a0 0x391 XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import msvcrt.dll ?terminate@@YAXXZ, __dllonexit, _unlock, _lock, _commode, _fmode, _acmdln, __C_specific_handler, _initterm, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, _amsg_exit, _XcptFilter, wcspbrk, _wtoi, _ultow, iswspace, wcstok, _wcsnicmp, wcsrchr, _tolower, isupper, __isascii, ??_U@YAPEAX_K@Z, ?? _V@YAXPEAX@Z, memcpy_s, _purecall, _wcsicmp, _onexit, wcschr, ??3@YAXPEAX@Z, memcpy, memmove, memcmp, ??2@YAPEAX_K@Z, __getmainargs, _vsnwprintf, wcsstr, wcscpy_s, memset, wcscmp ntdll.dll NtReplyPort, NtCreateEvent, RtlConnectToSm, RtlSendMsgToSm, RtlCompareMemory, RtlInitializeResource, RtlAcquireResourceExclusive, RtlReleaseResource, RtlDeleteResource, NtGetCachedSigningLevel, WinSqmSetString, NtReplyWaitReceivePort, NtCreatePort, NtCompleteConnectPort, TpReleaseTimer, NtQueryInformationProcess, RtlUnhandledExceptionFilter, NtDuplicateToken, NtAdjustPrivilegesToken, RtlGetDaclSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlAddAce, WinSqmIsOptedIn, TpWaitForTimer, RtlQueryResourcePolicy, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlEqualSid, NtFilterToken, RtlFreeUnicodeString, RtlDuplicateUnicodeString, NtInitiatePowerAction, RtlAdjustPrivilege, TpAllocTimer, TpSetTimer, RtlTimeToSecondsSince1980, NtOpenFile, RtlAppendUnicodeToString, NtOpenDirectoryObject, RtlFreeSid, NtSetSecurityObject, RtlSetSaclSecurityDescriptor, RtlAddMandatoryAce, RtlCreateAcl, RtlCreateSecurityDescriptor, RtlAllocateAndInitializeSid, RtlOpenCurrentUser, RtlCopySid, RtlNtStatusToDosErrorNoTeb, RtlExpandEnvironmentStrings_U, RtlGetAce, TpAllocWait, TpPostWork, TpAllocWork, TpReleaseWork, TpWaitForWork, TpReleaseWait, TpWaitForWait, TpSetWait, RtlDeregisterWait, RtlRegisterWait, TpSimpleTryPost, RtlLengthSid, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlInitializeCriticalSection, WinSqmAddToStream, RtlInitString, NtAllocateLocallyUniqueId, RtlCompareUnicodeString, RtlCreateEnvironment, RtlInitUnicodeString, RtlSetEnvironmentVariable, RtlQueryEnvironmentVariable_U, RtlInitUnicodeStringEx, EtwEventActivityIdControl, EtwEventWriteStartScenario, EtwEventWriteEndScenario, NtOpenThreadToken, RtlUnlockBootStatusData, RtlGetSetBootStatusData, RtlLockBootStatusData, RtlRemovePrivileges, RtlDestroyEnvironment, EtwEventUnregister, RtlDeleteCriticalSection, WinSqmSetDWORD, RtlpVerifyAndCommitUILanguageSettings, EtwEventRegister, NtSetInformationProcess, EtwUnregisterTraceGuids, EtwRegisterTraceGuidsW, EtwGetTraceEnableFlags, EtwGetTraceEnableLevel, EtwGetTraceLoggerHandle, NtQuerySystemInformation, NtSystemDebugControl, NtPowerInformation, WinSqmEndSession, WinSqmStartSession, RtlCopyLuid, RtlCaptureStackBackTrace, NtSetEvent, NtOpenEvent, NtUnmapViewOfSection, DbgPrintEx, DbgPrompt, NtRequestPort, NtConnectPort, NtRequestWaitReplyPort, RtlGetNtProductType, NtClose, NtQueryInformationToken, NtOpenProcessToken, NtShutdownSystem, RtlNtStatusToDosError, EtwEventEnabled, EtwEventWrite, EtwTraceMessage, NtAcceptConnectPort api-ms-win-core-heap-l1-2-0.dll HeapAlloc, HeapSize, GetProcessHeap, HeapFree, HeapSetInformation api-ms-win-core-processthreads-l1-1-2.dll OpenProcess, TerminateProcess, GetCurrentThreadId, GetStartupInfoW, CreateThread, SetPriorityClass, GetCurrentProcess, SetThreadPriority, GetCurrentProcessId, OpenProcessToken, TerminateThread, CreateRemoteThread, GetExitCodeProcess, CreateProcessW, GetProcessId, SetThreadToken, ExitProcess, OpenThreadToken, CreateProcessAsUserW, ResumeThread, GetProcessTimes, GetCurrentThread api-ms-win-core-libraryloader-l1-2-0.dll FindResourceExW, LoadResource, LoadStringW, GetModuleFileNameW, LockResource, LoadLibraryExW, GetProcAddress, GetModuleHandleW, FreeLibrary api-ms-win-core-localization-l1-2-1.dll FormatMessageW, GetThreadUILanguage api-ms-win-core-errorhandling-l1-1-1.dll SetLastError, SetErrorMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetLastError api-ms-win-core-shutdown-l1-1-1.dll InitiateShutdownW api-ms-win-core-registry-l1-1-0.dll RegCloseKey, RegGetValueW, RegDeleteTreeW, RegSetKeySecurity, RegDeleteKeyExW, RegQueryValueExW, RegOpenCurrentUser, RegOpenKeyExW, RegDeleteValueW, RegEnumValueW, RegFlushKey, RegCreateKeyExW, RegGetValueA, RegSetValueExW, RegQueryInfoKeyW, RegEnumKeyExW api-ms-win-security-base-l1-2-0.dll GetSidIdentifierAuthority, IsValidSid, CheckTokenMembership, GetTokenInformation, SetTokenInformation, AllocateLocallyUniqueId, EqualSid, GetLengthSid, DuplicateToken, ImpersonateLoggedOnUser, RevertToSelf, DuplicateTokenEx, CreateWellKnownSid

Copyright Joe Security LLC 2020 Page 15 of 20 DLL Import api-ms-win-core-synch-l1-2-0.dll SleepEx, EnterCriticalSection, Sleep, ReleaseSRWLockShared, AcquireSRWLockShared, WaitForSingleObject, CreateMutexW, WaitForSingleObjectEx, LeaveCriticalSection, ReleaseSRWLockExclusive, OpenEventW, AcquireSRWLockExclusive, InitializeSRWLock, SetEvent, TryEnterCriticalSection, ResetEvent, InitializeCriticalSection, DeleteCriticalSection, CreateEventW api-ms-win-core-handle-l1-1-0.dll CloseHandle, DuplicateHandle api-ms-win-eventing-controller-l1-1-0.dll ControlTraceW, EnableTraceEx2, StartTraceW api-ms-win-core-file-l2-1-1.dll MoveFileExW api-ms-win-core-sysinfo-l1-2-1.dll GetTickCount64, GetVersionExW, GetSystemTimeAsFileTime, GetSystemWindowsDirectoryW, GetSystemDirectoryW, GetTickCount api-ms-win-power-setting-l1-1-0.dll PowerSettingRegisterNotification, PowerSettingUnregisterNotification api-ms-win-core-threadpool-l1-2-0.dll SetThreadpoolThreadMaximum, CreateThreadpool, CloseThreadpool, CloseThreadpoolCleanupGroupMembers, CloseThreadpoolCleanupGroup, SubmitThreadpoolWork, SetThreadpoolThreadMinimum, CreateThreadpoolCleanupGroup, CreateThreadpoolWork, TrySubmitThreadpoolCallback, CloseThreadpoolWork RPCRT4.dll RpcAsyncAbortCall, RpcServerUseProtseqEpW, RpcAsyncCompleteCall, I_RpcMapWin32Status, RpcRevertToSelf, RpcImpersonateClient, I_RpcBindingInqLocalClientPID, Ndr64AsyncClientCall, RpcAsyncInitializeHandle, RpcAsyncCancelCall, RpcMgmtIsServerListening, RpcStringFreeW, RpcBindingSetAuthInfoExW, RpcStringBindingComposeW, RpcBindingFromStringBindingW, UuidFromStringW, NdrClientCall3, RpcBindingUnbind, RpcBindingBind, I_RpcExceptionFilter, RpcBindingFree, RpcBindingCreateW, RpcServerSubscribeForNotification, NdrServerCallAll, RpcServerUnsubscribeForNotification, RpcServerRegisterIfEx, RpcServerInqBindings, RpcServerListen, I_RpcBindingIsClientLocal, RpcServerTestCancel, RpcEpRegisterW, RpcServerUseProtseqW, RpcBindingVectorFree, RpcServerUnregisterIf, RpcEpUnregister, NdrAsyncServerCall, RpcRaiseException, NdrServerCall2, Ndr64AsyncServerCallAll, RpcServerInqCallAttributesW api-ms-win-core-string-l1-1-0.dll WideCharToMultiByte, CompareStringW api-ms-win-core-file-l1-2-1.dll ReadFile, CompareFileTime, CreateFileW, GetFileAttributesW, GetShortPathNameW api-ms-win-core-memory-l1-1-2.dll VirtualUnlock, VirtualLock, SetProcessWorkingSetSizeEx, VirtualAlloc, VirtualFree, GetProcessWorkingSetSizeEx api-ms-win-core-processenvironment-l1-2-0.dll ExpandEnvironmentStringsW, SearchPathW, GetCommandLineW, SetEnvironmentVariableW api-ms-win-core-psapi-l1-1-0.dll QueryFullProcessImageNameW api-ms-win-power-base-l1-1-0.dll PowerDeterminePlatformRoleEx api-ms-win-core-timezone-l1-1-0.dll SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime api-ms-win-core-datetime-l1-1-1.dll GetDateFormatW, GetTimeFormatW api-ms-win-core-profile-l1-1-0.dll QueryPerformanceCounter api-ms-win-security-lsalookup-l1-1-1.dll LsaLookupManageSidNameMapping, LookupAccountSidLocalW, LsaLookupFreeMemory api-ms-win-core-threadpool-legacy-l1-1-0.dll DeleteTimerQueueTimer, CreateTimerQueueTimer, QueueUserWorkItem, UnregisterWaitEx api-ms-win-core-kernel32-legacy-l1-1-1.dll GetComputerNameW, RegisterWaitForSingleObject, UnregisterWait api-ms-win-eventlog-legacy-l1-1-0.dll ReportEventW, DeregisterEventSource, GetEventLogInformation, RegisterEventSourceW api-ms-win-core-heap-obsolete-l1-1-0.dll LocalFree, LocalSize, LocalReAlloc, LocalAlloc api-ms-win-core-string-obsolete-l1-1-0.dll lstrlenW api-ms-win-core-appcompat-l1-1-1.dll BaseInitAppcompatCacheSupport api-ms-win-security-lsapolicy-l1-1-0.dll LsaOpenPolicy, LsaStorePrivateData, LsaClose api-ms-win-core-job-l2-1-0.dll CreateJobObjectW, SetInformationJobObject, AssignProcessToJobObject, QueryInformationJobObject, TerminateJobObject api-ms-win-core-debug-l1-1-1.dll DebugBreak, IsDebuggerPresent api-ms-win-service-management-l1-1-0.dll StartServiceW, OpenSCManagerW, OpenServiceW, CloseServiceHandle api-ms-win-service-management-l2-1-0.dll QueryServiceConfigW, NotifyServiceStatusChangeW api-ms-win-service-winsvc-l1-2-0.dll QueryServiceStatus api-ms-win-core-version-l1-1-0.dll GetFileVersionInfoSizeExW, GetFileVersionInfoExW, VerQueryValueW api-ms-win-eventing-classicprovider-l1-1-0.dll TraceMessage api-ms-win-security-credentials-l1-1-0.dll CredFree, CredUnmarshalCredentialW api-ms-win-security-lsalookup-l2-1-1.dll LookupAccountSidW, LookupAccountNameW api-ms-win-core-apiquery-l1-1-0.dll ApiSetQueryApiSetPresence api-ms-win-base-bootconfig-l1-1-0.dll NotifyBootConfigStatus api-ms-win-security-credentials-l2-1-0.dll CredReadByTokenHandle api-ms-win-core-delayload-l1-1-1.dll ResolveDelayLoadedAPI, DelayLoadFailureHook api-ms-win-core-wow64-l1-1-0.dll IsWow64Process

Version Infos

Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName winlogon FileVersion 6.3.9600.19447 (winblue_ltsb.190731-0600) CompanyName Microsoft Corporation ProductName Microsoft Windows Operating System ProductVersion 6.3.9600.19447

Copyright Joe Security LLC 2020 Page 16 of 20 Description Data FileDescription Windows Logon Application OriginalFilename WINLOGON.EXE Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 20, 2020 12:34:38.537072897 CEST 63911 53 192.168.2.7 8.8.8.8 Apr 20, 2020 12:34:38.562417984 CEST 53 63911 8.8.8.8 192.168.2.7 Apr 20, 2020 12:35:03.881985903 CEST 60916 53 192.168.2.7 8.8.8.8 Apr 20, 2020 12:35:03.916847944 CEST 53 60916 8.8.8.8 192.168.2.7 Apr 20, 2020 12:36:16.380662918 CEST 54567 53 192.168.2.7 8.8.8.8 Apr 20, 2020 12:36:16.415704966 CEST 53 54567 8.8.8.8 192.168.2.7

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Apr 20, 2020 12:36:16.380662918 CEST 192.168.2.7 8.8.8.8 0x3057 Standard query site-cdn.o A (IP address) IN (0x0001) (0) nenote.net

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Apr 20, 2020 8.8.8.8 192.168.2.7 0x3057 No error (0) site-cdn.o site- CNAME IN (0x0001) 12:36:16.415704966 nenote.net cdn.onenote.net.edgekey. (Canonical CEST net name)

Code Manipulations

Statistics

Behavior

• winlogon.exe • WerFault.exe

System Behavior

Analysis Process: winlogon.exe PID: 2432 Parent PID: 4848

General

Start time: 12:34:35 Start date: 20/04/2020 Path: C:\Users\user\Desktop\winlogon.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\winlogon.exe' Imagebase: 0x7ff70dd20000 File size: 571392 bytes MD5 hash: 30B8FF833FB3D892DAB4827E00F530B2 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

Analysis Process: WerFault.exe PID: 3500 Parent PID: 2432

General

Start time: 12:34:36 Start date: 20/04/2020 Path: C:\Windows\System32\WerFault.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\WerFault.exe -u -p 2432 -s 148 Imagebase: 0x7ff75d780000 File size: 494488 bytes MD5 hash: BFD11F05E0245D5178ADFBC609E0328B Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol

Copyright Joe Security LLC 2020 Page 18 of 20 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\DBG read data or list device directory file | object name collision 1 7FF9E4CF527E unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Microsoft\Windows\WER\Temp\WER814A.tmp read attributes | device synchronous io success or wait 1 7FF9E4CEE9F7 unknown synchronize | non alert | non generic read directory file C:\ProgramData\Microsoft\Windows\WER\Temp\WER814A.tmp.dmp read attributes | device synchronous io success or wait 1 7FF9E4CEE9F7 unknown synchronize | non alert | non generic read | directory file generic write

File Deleted

Source File Path Completion Count Address Symbol C:\ProgramData\Microsoft\Windows\WER\Temp\WER814A.tmp success or wait 1 7FF9E4CEE9F7 unknown

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4-ef06b7b946d4}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 7FF9E4D11D2D unknown \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4-ef06b7b946d4}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 7FF9E4D11D2D unknown \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4-ef06b7b946d4}\Root\InventoryApplicationFile\winlogon.exe|6ff4f6a432fc562a success or wait 1 7FF9E4D11D2D unknown \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4-ef06b7b946d4}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 7FF9E4CEE3FE unknown

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- ProgramId unicode 0006e2bf3af0c07db076afb99b0865 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve 3d2b6d00000904 ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- FileId unicode 00006396c263d7e3c31e6310a62f26 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve d38207f46be81e ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- LowerCaseLongPath unicode c:\users\user\desktop\winlogon.exe success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- LongPathHash unicode winlogon.exe|6ff4f6a432fc562a success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- Name unicode winlogon.exe success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- Publisher unicode microsoft corporation success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- Version unicode 6.3.9600.19447 (winblue_ltsb.190731- success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve 0600) ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- BinFileVersion unicode 6.3.9600.19447 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- BinaryType unicode pe64_amd64 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- ProductName unicode microsoft. windows. operating system success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- ProductVersion unicode 6.3.9600.19447 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- LinkDate unicode 07/31/2019 13:31:01 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- BinProductVersion unicode 6.3.9600.19447 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a

Copyright Joe Security LLC 2020 Page 19 of 20 Source Key Path Name Type Data Completion Count Address Symbol \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- Size B 00 B8 08 00 00 00 00 00 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- Language dword 1033 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- IsPeFile dword 1 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- IsOsComponent dword 0 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a \REGISTRY\A\{4ce6e157-9b4f-8fb8-60c4- Usn B C8 B3 9A 0A 00 00 00 00 success or wait 1 7FF9E4D11D2D unknown ef06b7b946d4}\Root\Inve ntoryApplicationFile\winlogon.exe|6ff4f6a432fc562a

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT ExceptionRecord binary 7B 02 00 C0 01 00 00 00 05 05 00 00 01 00 00 00 success or wait 1 7FF9E4D107CB RegSetValueExW WARE\Mi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 crosoft\Windows\Windows Error 02 4E 63 F4 FD 7F 00 00 88 A3 09 04 FA 7F 00 00 Reporting\Debug 02 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 80 1F AE 10 0B 02 00 00 40 35 D8 0D F7 7F 00 00 02 00 00 00 00 00 00 00 5A 44 D8 0D F7 7F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7F 00 00

Disassembly

Code Analysis