Analysis
-
max time kernel
75s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:15
Static task
static1
Behavioral task
behavioral1
Sample
4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe
Resource
win10v2004-20221111-en
General
-
Target
4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe
-
Size
137KB
-
MD5
2a95c5a6b7d2918baa2e652ae3184cdd
-
SHA1
baf70ba6b17c15720b9d7cd1cdc9e1c4b53e0148
-
SHA256
4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4
-
SHA512
b058f537d4511d7a3b9cc84f2de211c2f5c299425610b6e3754a1e4ffbbf917512e4e5064b3251e008e835cf2d4d6becfede1307aefad77f108e260d56c99fa3
-
SSDEEP
1536:7+uAoFUlrkqG3p26gEOQBApzaSxI81jkfenLBKBJX8LYlo0yaI3EgcBCFEc5T8YH:6hNGujR9msKBdVyEgcBCFEAT8Y+e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 528 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{B5C99A8B-13F0-4392-8FFF-D976CD16AD4B}281R }RYNKSFQE " winlogin.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.execmd.exedescription pid process target process PID 1276 wrote to memory of 1120 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1120 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1120 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1120 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1532 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1532 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1532 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1276 wrote to memory of 1532 1276 4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe cmd.exe PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe"C:\Users\Admin\AppData\Local\Temp\4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\4eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4063495947-34355257-727531523-1000\3310a4fa6cb9c60504498d7eea986fc2_8e28fefd-2db0-4dd4-85d7-665f2cf2c74bFilesize
50B
MD545218adff3ea5bde8a8f61987f0f458b
SHA1cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA5128442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
137KB
MD52a95c5a6b7d2918baa2e652ae3184cdd
SHA1baf70ba6b17c15720b9d7cd1cdc9e1c4b53e0148
SHA2564eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4
SHA512b058f537d4511d7a3b9cc84f2de211c2f5c299425610b6e3754a1e4ffbbf917512e4e5064b3251e008e835cf2d4d6becfede1307aefad77f108e260d56c99fa3
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
137KB
MD52a95c5a6b7d2918baa2e652ae3184cdd
SHA1baf70ba6b17c15720b9d7cd1cdc9e1c4b53e0148
SHA2564eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4
SHA512b058f537d4511d7a3b9cc84f2de211c2f5c299425610b6e3754a1e4ffbbf917512e4e5064b3251e008e835cf2d4d6becfede1307aefad77f108e260d56c99fa3
-
\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
137KB
MD52a95c5a6b7d2918baa2e652ae3184cdd
SHA1baf70ba6b17c15720b9d7cd1cdc9e1c4b53e0148
SHA2564eab6ff74803fe38704ba7cd524f32f90c9346a5c37f659bba916a232384a6a4
SHA512b058f537d4511d7a3b9cc84f2de211c2f5c299425610b6e3754a1e4ffbbf917512e4e5064b3251e008e835cf2d4d6becfede1307aefad77f108e260d56c99fa3
-
memory/528-60-0x0000000000000000-mapping.dmp
-
memory/528-63-0x00000000020A0000-0x00000000021C1000-memory.dmpFilesize
1.1MB
-
memory/528-64-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/600-58-0x0000000000000000-mapping.dmp
-
memory/1120-54-0x0000000000000000-mapping.dmp
-
memory/1276-56-0x00000000020C0000-0x00000000021E1000-memory.dmpFilesize
1.1MB
-
memory/1532-57-0x0000000000000000-mapping.dmp