9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

General

Target

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe
Size

77KB
MD5

459a1b62476b2b8c246cbebe23ed6035
SHA1

949ace5987007bb1378e2ef7156920269a609943
SHA256

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146
SHA512

d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4
SSDEEP

1536:ZtHF5geAD7efNm9hQH5kCu6W1STnTpGY1hpJ1xzhP9h/nd4:ZxUD7efkNrQTtDphzhPzd4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winlogin.exe

pid process

1992 winlogin.exe

pid	process
1992	winlogin.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E	winlogin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{CC2DD644-C839-4BCD-B037-CF0B57A66547}TARGGR }VUIIVLGQ "	winlogin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

584 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

584 cmd.exe

pid	process
584	cmd.exe

pid	process
584	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe"	winlogin.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

Drops file in System32 directory 2 IoCs

Processes:

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exewinlogin.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	winlogin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE

pid	process
1068	PING.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 1216	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 1216	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 1216	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 1216	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 584	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 584	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 584	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 1728 wrote to memory of 584	1728	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 584 wrote to memory of 1068	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1068	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1068	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1068	584	cmd.exe	PING.EXE
PID 584 wrote to memory of 1992	584	cmd.exe	winlogin.exe
PID 584 wrote to memory of 1992	584	cmd.exe	winlogin.exe
PID 584 wrote to memory of 1992	584	cmd.exe	winlogin.exe
PID 584 wrote to memory of 1992	584	cmd.exe	winlogin.exe

C:\Users\Admin\AppData\Local\Temp\9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe
"C:\Users\Admin\AppData\Local\Temp\9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
2⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
cmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:1068

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
77KB

MD5
459a1b62476b2b8c246cbebe23ed6035

SHA1
949ace5987007bb1378e2ef7156920269a609943

SHA256
9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

SHA512
d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
77KB

MD5
459a1b62476b2b8c246cbebe23ed6035

SHA1
949ace5987007bb1378e2ef7156920269a609943

SHA256
9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

SHA512
d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
77KB

MD5
459a1b62476b2b8c246cbebe23ed6035

SHA1
949ace5987007bb1378e2ef7156920269a609943

SHA256
9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

SHA512
d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
194KB

MD5
c5187199ee14318c6ca8db24454edbd5

SHA1
f9211ec6c765ae5d0cca2e48b60a8e2acfcdf6d1

SHA256
2b842fae4c39adae77ea540cd500ffe404b482383522f1f5aa9edf6f116d28e6

SHA512
c1af89f48f4bbe753809a1be033a690dd02a0fd9d3ba3534f0c821052f2f1a9ef8baaa4ef9cc87ad5107e2d3c235bdc32f2008fb54696d98f1847cdc0feef85f

Download Submit
\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
77KB

MD5
459a1b62476b2b8c246cbebe23ed6035

SHA1
949ace5987007bb1378e2ef7156920269a609943

SHA256
9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

SHA512
d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4

Download Submit
memory/584-57-0x0000000000000000-mapping.dmp

Download
memory/1068-58-0x0000000000000000-mapping.dmp

Download
memory/1216-55-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000002010000-0x00000000020A5000-memory.dmp

Filesize
596KB

Download
memory/1992-61-0x0000000000000000-mapping.dmp

Download
memory/1992-64-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1992-65-0x0000000002050000-0x00000000020E5000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads