Analysis
-
max time kernel
238s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:29
Static task
static1
Behavioral task
behavioral1
Sample
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe
Resource
win10v2004-20221111-en
General
-
Target
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe
-
Size
99KB
-
MD5
aeb001c0ad849f513eeaabf035ad3cdd
-
SHA1
9629daaf2fea86d645b5a09d1d61bbb96bc9cd80
-
SHA256
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
-
SHA512
99d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
SSDEEP
1536:VP/eJjJifnHufeMPykoEU4T7JhHWELKNaeRlriYmljvkWwLobkT+:VP/2NeHufu4T7DHW3XriYmljOLobS+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 916 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{90B69CBF-126F-46A0-AF43-86F334D33.84081E-312R0902NEWGROUP}VDWSWJJD " winlogin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.execmd.exedescription pid process target process PID 1720 wrote to memory of 1572 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1572 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1572 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1572 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1952 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1952 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1952 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1720 wrote to memory of 1952 1720 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 1952 wrote to memory of 1660 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1660 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1660 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1660 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 916 1952 cmd.exe winlogin.exe PID 1952 wrote to memory of 916 1952 cmd.exe winlogin.exe PID 1952 wrote to memory of 916 1952 cmd.exe winlogin.exe PID 1952 wrote to memory of 916 1952 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe"C:\Users\Admin\AppData\Local\Temp\327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵PID:1572
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:1660 -
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
memory/916-61-0x0000000000000000-mapping.dmp
-
memory/916-63-0x0000000002280000-0x0000000002389000-memory.dmpFilesize
1.0MB
-
memory/916-64-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1572-55-0x0000000000000000-mapping.dmp
-
memory/1660-58-0x0000000000000000-mapping.dmp
-
memory/1720-54-0x00000000025B0000-0x00000000026B9000-memory.dmpFilesize
1.0MB
-
memory/1952-57-0x0000000000000000-mapping.dmp