Overview

overview

9

Static

static

winlogon.exe

windows7_x64

9

winlogon.exe

windows10-2004_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    670145b34ab8de90239590d0a76a6c8989fc586c051a5b84042a0dee029c49b7

  • Size

    2.2MB

  • Sample

    220520-d1k19aaecj

  • MD5

    5b809a251488d8deda63df80ff9228a8

  • SHA1

    4a35f03a154a582e7da939f6f47d3563035e6ed5

  • SHA256

    670145b34ab8de90239590d0a76a6c8989fc586c051a5b84042a0dee029c49b7

  • SHA512

    26b381cda5e87c44b8ba9306dbac89bae89340f4293501320a564686eb8f02b106f6e4fcd04f2f41420fd31a5699dd28a21fe3715b47d6c849a3ecf08bc3986a

Score
9/10
minerpersistence

Malware Config

Targets

    • Target

      winlogon.exe

    • Size

      5.5MB

    • MD5

      59d3d2406da9ec9591a7f5064375603c

    • SHA1

      a43f3d2ebfdf2700edec93c1aa3e8d7e529a0294

    • SHA256

      a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d

    • SHA512

      233c715a750e159deb27c1e0d57856d47f8e7ab118933749bf8167abe3f3611fc094bf53584e708e5b34b224435f71ffcf3c85b85f7a00aeb917968b4e5dfad5

    Score
    9/10
    minerpersistence

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks