Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:46
Static task
static1
Behavioral task
behavioral1
Sample
c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe
Resource
win10v2004-20220812-en
General
-
Target
c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe
-
Size
118KB
-
MD5
aea239b16b4d9378106461ed5dcb56dc
-
SHA1
141e121dfa16864be0138bc5052ccd879089b4ef
-
SHA256
c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773
-
SHA512
f46b3bef6a7a3403b387b58439965a4df1c6f1fd6466376696ca1bb726262017a34ef03a6d674e84f2fd00c9dbe71e2b1dd1dce11cdf8f546cabb9e996e89518
-
SSDEEP
3072:PQYLhpkD3rY0kf45mc6yCkpBj4FXM9Kx8:PQQhGD3r5kfCAy/BIXMox
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 4224 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{20D8C42E-238A-4172-B52D-CC19C15AA12F}GRPLOG }XZIOFAVD " winlogin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 api.ipify.org 35 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.execmd.exedescription pid process target process PID 2372 wrote to memory of 5084 2372 c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe cmd.exe PID 2372 wrote to memory of 5084 2372 c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe cmd.exe PID 2372 wrote to memory of 5084 2372 c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe cmd.exe PID 2372 wrote to memory of 3124 2372 c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe cmd.exe PID 2372 wrote to memory of 3124 2372 c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe cmd.exe PID 2372 wrote to memory of 3124 2372 c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe cmd.exe PID 3124 wrote to memory of 2452 3124 cmd.exe PING.EXE PID 3124 wrote to memory of 2452 3124 cmd.exe PING.EXE PID 3124 wrote to memory of 2452 3124 cmd.exe PING.EXE PID 3124 wrote to memory of 4224 3124 cmd.exe winlogin.exe PID 3124 wrote to memory of 4224 3124 cmd.exe winlogin.exe PID 3124 wrote to memory of 4224 3124 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe"C:\Users\Admin\AppData\Local\Temp\c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
118KB
MD5aea239b16b4d9378106461ed5dcb56dc
SHA1141e121dfa16864be0138bc5052ccd879089b4ef
SHA256c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773
SHA512f46b3bef6a7a3403b387b58439965a4df1c6f1fd6466376696ca1bb726262017a34ef03a6d674e84f2fd00c9dbe71e2b1dd1dce11cdf8f546cabb9e996e89518
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
118KB
MD5aea239b16b4d9378106461ed5dcb56dc
SHA1141e121dfa16864be0138bc5052ccd879089b4ef
SHA256c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773
SHA512f46b3bef6a7a3403b387b58439965a4df1c6f1fd6466376696ca1bb726262017a34ef03a6d674e84f2fd00c9dbe71e2b1dd1dce11cdf8f546cabb9e996e89518
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
118KB
MD5aea239b16b4d9378106461ed5dcb56dc
SHA1141e121dfa16864be0138bc5052ccd879089b4ef
SHA256c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773
SHA512f46b3bef6a7a3403b387b58439965a4df1c6f1fd6466376696ca1bb726262017a34ef03a6d674e84f2fd00c9dbe71e2b1dd1dce11cdf8f546cabb9e996e89518
-
memory/2372-132-0x0000000002590000-0x0000000002625000-memory.dmpFilesize
596KB
-
memory/2452-136-0x0000000000000000-mapping.dmp
-
memory/3124-135-0x0000000000000000-mapping.dmp
-
memory/4224-137-0x0000000000000000-mapping.dmp
-
memory/4224-140-0x0000000002420000-0x00000000024B5000-memory.dmpFilesize
596KB
-
memory/5084-133-0x0000000000000000-mapping.dmp