9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

Analysis

max time kernel
263s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:30

Target

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe
Size

77KB
MD5

459a1b62476b2b8c246cbebe23ed6035
SHA1

949ace5987007bb1378e2ef7156920269a609943
SHA256

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146
SHA512

d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4
SSDEEP

1536:ZtHF5geAD7efNm9hQH5kCu6W1STnTpGY1hpJ1xzhP9h/nd4:ZxUD7efkNrQTtDphzhPzd4

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

winlogin.exe

pid process

3188 winlogin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4772 PING.EXE

pid	process
3188	winlogin.exe

pid	process
4772	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.execmd.exe

description	pid	process	target process
PID 3424 wrote to memory of 4108	3424	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 3424 wrote to memory of 4108	3424	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 3424 wrote to memory of 4108	3424	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 3424 wrote to memory of 3324	3424	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 3424 wrote to memory of 3324	3424	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 3424 wrote to memory of 3324	3424	9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe	cmd.exe
PID 3324 wrote to memory of 4772	3324	cmd.exe	PING.EXE
PID 3324 wrote to memory of 4772	3324	cmd.exe	PING.EXE
PID 3324 wrote to memory of 4772	3324	cmd.exe	PING.EXE
PID 3324 wrote to memory of 3188	3324	cmd.exe	winlogin.exe
PID 3324 wrote to memory of 3188	3324	cmd.exe	winlogin.exe
PID 3324 wrote to memory of 3188	3324	cmd.exe	winlogin.exe

C:\Users\Admin\AppData\Local\Temp\9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe
"C:\Users\Admin\AppData\Local\Temp\9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\cmd.exe
cmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
2⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
cmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
3⤵
- Executes dropped EXE
PID:3188

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
Filesize
77KB

MD5
459a1b62476b2b8c246cbebe23ed6035

SHA1
949ace5987007bb1378e2ef7156920269a609943

SHA256
9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

SHA512
d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
Filesize
77KB

MD5
459a1b62476b2b8c246cbebe23ed6035

SHA1
949ace5987007bb1378e2ef7156920269a609943

SHA256
9e6a1628222295e94b1d15bbfebc0a22d7cf11d78a5785282283215eab062146

SHA512
d7ce41e8ad102917844796cf82bf7da03cbc182aacb39373fe1ba47a63f31993e7e9f5ef2d6a4ee74dd62c0cae43a6e0146866bd4839d4ff638b7a8b0d05b7c4

Download Submit
memory/3188-138-0x0000000000000000-mapping.dmp

Download
memory/3324-136-0x0000000000000000-mapping.dmp

Download
memory/3424-133-0x0000000002600000-0x0000000002695000-memory.dmp

Filesize
596KB

Download
memory/4108-134-0x0000000000000000-mapping.dmp

Download
memory/4772-137-0x0000000000000000-mapping.dmp

Download