Analysis
-
max time kernel
85s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:35
Static task
static1
Behavioral task
behavioral1
Sample
9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe
Resource
win10v2004-20221111-en
General
-
Target
9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe
-
Size
138KB
-
MD5
0247e1bab5e701f916798dc429622e2e
-
SHA1
cbb060e08885dfc9c083faeff4dc63a4c883261a
-
SHA256
9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e
-
SHA512
10f3f8730e1517bbf1d6bf12d03f94d33b977d4444faf306e6e43ba087f465979d20c8dc07d4d4a6eb7a6591ce4304000377663357ade0a01741ce4f8ed3c358
-
SSDEEP
3072:FaHroocRbPEDqJITwPsvO/TH1CrxmCKPcDYYYY4hfTMGJcX:YHk3A2x/L1YKJcX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 1224 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{C26DB1DD-D5DF-465B-988F-2D9602618135}281R }ORXGKKZC " winlogin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1188 cmd.exe 1188 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.execmd.exedescription pid process target process PID 1992 wrote to memory of 1936 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1936 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1936 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1936 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1188 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1188 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1188 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1992 wrote to memory of 1188 1992 9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe cmd.exe PID 1188 wrote to memory of 1324 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1324 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1324 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1324 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1224 1188 cmd.exe winlogin.exe PID 1188 wrote to memory of 1224 1188 cmd.exe winlogin.exe PID 1188 wrote to memory of 1224 1188 cmd.exe winlogin.exe PID 1188 wrote to memory of 1224 1188 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe"C:\Users\Admin\AppData\Local\Temp\9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\9e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
138KB
MD50247e1bab5e701f916798dc429622e2e
SHA1cbb060e08885dfc9c083faeff4dc63a4c883261a
SHA2569e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e
SHA51210f3f8730e1517bbf1d6bf12d03f94d33b977d4444faf306e6e43ba087f465979d20c8dc07d4d4a6eb7a6591ce4304000377663357ade0a01741ce4f8ed3c358
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
138KB
MD50247e1bab5e701f916798dc429622e2e
SHA1cbb060e08885dfc9c083faeff4dc63a4c883261a
SHA2569e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e
SHA51210f3f8730e1517bbf1d6bf12d03f94d33b977d4444faf306e6e43ba087f465979d20c8dc07d4d4a6eb7a6591ce4304000377663357ade0a01741ce4f8ed3c358
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
138KB
MD50247e1bab5e701f916798dc429622e2e
SHA1cbb060e08885dfc9c083faeff4dc63a4c883261a
SHA2569e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e
SHA51210f3f8730e1517bbf1d6bf12d03f94d33b977d4444faf306e6e43ba087f465979d20c8dc07d4d4a6eb7a6591ce4304000377663357ade0a01741ce4f8ed3c358
-
\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
138KB
MD50247e1bab5e701f916798dc429622e2e
SHA1cbb060e08885dfc9c083faeff4dc63a4c883261a
SHA2569e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e
SHA51210f3f8730e1517bbf1d6bf12d03f94d33b977d4444faf306e6e43ba087f465979d20c8dc07d4d4a6eb7a6591ce4304000377663357ade0a01741ce4f8ed3c358
-
\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
138KB
MD50247e1bab5e701f916798dc429622e2e
SHA1cbb060e08885dfc9c083faeff4dc63a4c883261a
SHA2569e0c085d7bbee20cd62d110ed418542f6cca3f39666286bc2bff83b503f9187e
SHA51210f3f8730e1517bbf1d6bf12d03f94d33b977d4444faf306e6e43ba087f465979d20c8dc07d4d4a6eb7a6591ce4304000377663357ade0a01741ce4f8ed3c358
-
memory/1188-58-0x0000000000000000-mapping.dmp
-
memory/1224-63-0x0000000000000000-mapping.dmp
-
memory/1224-66-0x0000000001E80000-0x000000000200C000-memory.dmpFilesize
1.5MB
-
memory/1324-59-0x0000000000000000-mapping.dmp
-
memory/1936-56-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1992-55-0x0000000001EE0000-0x000000000206C000-memory.dmpFilesize
1.5MB