5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63

General

Target

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
Size

1.0MB
MD5

0ab4a2ab713a752c61f722baa1af6064
SHA1

c2da9dbb319b92a4179e6a3a9a8763cd1e294bcf
SHA256

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63
SHA512

6e402ec98ca7e5fe0062f017a08832966c28db14b80b0bad2f324915e1cd42e97ed69ab0c3a52fd44d84052eeb4f83c011b349c9d17897e2f4acd42ee384d1a8
SSDEEP

12288:EY1FQqDi5HYIsMzxlyvODj0Ihz9/vNRWLLeyFNeMr+8pbnaeDAdp:V1mvNsqqwl+Ln2Mr+YzaSWp

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Mrica\\Ogiri.exe,"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

Ogiri.exe

pid process

3212 Ogiri.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3852 PING.EXE
3520 PING.EXE
808 PING.EXE

pid	process
3212	Ogiri.exe

pid	process
3852	PING.EXE
3520	PING.EXE
808	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exeOgiri.exe

pid	process
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
3212	Ogiri.exe
3212	Ogiri.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exeOgiri.exe

description	pid	process
Token: SeDebugPrivilege	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
Token: SeDebugPrivilege	3212	Ogiri.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.execmd.execmd.exe

description	pid	process	target process
PID 3372 wrote to memory of 204	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe	cmd.exe
PID 3372 wrote to memory of 204	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe	cmd.exe
PID 3372 wrote to memory of 204	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe	cmd.exe
PID 204 wrote to memory of 3852	204	cmd.exe	PING.EXE
PID 204 wrote to memory of 3852	204	cmd.exe	PING.EXE
PID 204 wrote to memory of 3852	204	cmd.exe	PING.EXE
PID 3372 wrote to memory of 3028	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe	cmd.exe
PID 3372 wrote to memory of 3028	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe	cmd.exe
PID 3372 wrote to memory of 3028	3372	5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe	cmd.exe
PID 3028 wrote to memory of 3520	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 3520	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 3520	3028	cmd.exe	PING.EXE
PID 204 wrote to memory of 1324	204	cmd.exe	reg.exe
PID 204 wrote to memory of 1324	204	cmd.exe	reg.exe
PID 204 wrote to memory of 1324	204	cmd.exe	reg.exe
PID 3028 wrote to memory of 808	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 808	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 808	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 3212	3028	cmd.exe	Ogiri.exe
PID 3028 wrote to memory of 3212	3028	cmd.exe	Ogiri.exe
PID 3028 wrote to memory of 3212	3028	cmd.exe	Ogiri.exe

C:\Users\Admin\AppData\Local\Temp\5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe
"C:\Users\Admin\AppData\Local\Temp\5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 37
3⤵
- Runs ping.exe
PID:3852

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1324

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63.exe" "C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 40
3⤵
- Runs ping.exe
PID:3520

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 40
3⤵
- Runs ping.exe
PID:808

C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe
"C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe

Filesize
1.0MB

MD5
0ab4a2ab713a752c61f722baa1af6064

SHA1
c2da9dbb319b92a4179e6a3a9a8763cd1e294bcf

SHA256
5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63

SHA512
6e402ec98ca7e5fe0062f017a08832966c28db14b80b0bad2f324915e1cd42e97ed69ab0c3a52fd44d84052eeb4f83c011b349c9d17897e2f4acd42ee384d1a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mrica\Ogiri.exe

Filesize
1.0MB

MD5
0ab4a2ab713a752c61f722baa1af6064

SHA1
c2da9dbb319b92a4179e6a3a9a8763cd1e294bcf

SHA256
5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63

SHA512
6e402ec98ca7e5fe0062f017a08832966c28db14b80b0bad2f324915e1cd42e97ed69ab0c3a52fd44d84052eeb4f83c011b349c9d17897e2f4acd42ee384d1a8

Download Submit
memory/204-137-0x0000000000000000-mapping.dmp

Download
memory/808-142-0x0000000000000000-mapping.dmp

Download
memory/1324-141-0x0000000000000000-mapping.dmp

Download
memory/3028-139-0x0000000000000000-mapping.dmp

Download
memory/3212-146-0x0000000000A50000-0x0000000000B5E000-memory.dmp

Filesize
1.1MB

Download
memory/3212-143-0x0000000000000000-mapping.dmp

Download
memory/3372-135-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/3372-136-0x0000000006920000-0x000000000692A000-memory.dmp

Filesize
40KB

Download
memory/3372-132-0x0000000000660000-0x000000000076E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-134-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/3372-133-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/3520-140-0x0000000000000000-mapping.dmp

Download
memory/3852-138-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads